Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

LTM two-way SSL authentication with a specific client cert, not CA cert

DifanZ
Cirrus
Cirrus

Hi experts,

I am trying to set up the SSL two-way authentication following this link https://support.f5.com/csp/article/K12140946#test. It is successful when I choose a CA certificate in the "Trusted Certificate Authorities" field in the Client SSL profile. However, this would authenticate anyone with the client cert signed by the CA (e.g., DigiCert), correct? How do I make it only accepts a specific client cert (e.g. xyz.example.com but not abc.example.com)? I have tried to specify the client cert in the field and the GUI accepts the setting but doesn't work.

Thanks!

4 REPLIES 4

xuwen
MVP
MVP
when CLIENTSSL_HANDSHAKE {
	if { [SSL::cert count] > 0 } {
		if { [X509::subject [SSL::cert 0]] contains "CN=xyz.example.com" } {
			return
		} else {
			log local0. "invalid client cert post, subject is: [X509::subject [SSL::cert 0]]"
			drop
		}
	}
}

Thank you Xuwen! So it is not possible to do it in the GUI, and an irule would be required for this, correct?

sure, you can don't need irules, only use GUI,First, you need to let Client SSL profile the option "Client Certificate" value set to "Require",  then you can use a self-signed CA certificate(

), instead of using a public CA certificate, use the self-signed CA certificate to sign the client certificate to test the verification, and use curl --key xxx --cert xxx on the client side to test two-way ssl

Hi Mollie, thanks but you referenced exactly the same link as in my original post... It doesn't work for my need.