27-May-2022 11:42
Hi experts,
I am trying to set up the SSL two-way authentication following this link https://support.f5.com/csp/article/K12140946#test. It is successful when I choose a CA certificate in the "Trusted Certificate Authorities" field in the Client SSL profile. However, this would authenticate anyone with the client cert signed by the CA (e.g., DigiCert), correct? How do I make it only accepts a specific client cert (e.g. xyz.example.com but not abc.example.com)? I have tried to specify the client cert in the field and the GUI accepts the setting but doesn't work.
Thanks!
27-May-2022 20:15
when CLIENTSSL_HANDSHAKE {
if { [SSL::cert count] > 0 } {
if { [X509::subject [SSL::cert 0]] contains "CN=xyz.example.com" } {
return
} else {
log local0. "invalid client cert post, subject is: [X509::subject [SSL::cert 0]]"
drop
}
}
}
28-May-2022 09:08
Thank you Xuwen! So it is not possible to do it in the GUI, and an irule would be required for this, correct?
28-May-2022 19:22
sure, you can don't need irules, only use GUI,First, you need to let Client SSL profile the option "Client Certificate" value set to "Require", then you can use a self-signed CA certificate(
), instead of using a public CA certificate, use the self-signed CA certificate to sign the client certificate to test the verification, and use curl --key xxx --cert xxx on the client side to test two-way ssl
28-May-2022 09:09
Hi Mollie, thanks but you referenced exactly the same link as in my original post... It doesn't work for my need.