Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Unable to define WSS client certificate in F5-ASM

Go to solution
Mountazar
Nimbostratus
Nimbostratus

‎02-Sep-2022 23:42

Hello, I'm trying to define for web-services security, a client certificate client_cert issued by another self-signed certificate root_cert, under:

Security >> Options:Application Security: Advanced Configuration: Certificates Pool >> Certificate Properties

I need to paste the PEM text only for the leaf certificate (client_cert) and need to rely on having F5 trust it based on having the root_cert defined elsewhere. 

The problem is whwne saving the client_cert I'm getting an error:

  • Validation failed: Failed to verify the certificate, /ts/var/cert/temp_ssl_cert.pem: C=ZA, O=Org_name, OU= Unit_name, CN= Community_name error 20 at 0 depth lookup: unable to get local issuer certificate

I tried to define the issuing certificate (root_cert) in /config/ssl/ssl.crt/ca-bundle.crt using:

  • openssl x509 -in root_cert.crt -text >> /config/ssl/ssl.crt/ca-bundle.crt

But still getting the same above error.

Kindly help,

Regards,

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Mountazar
Nimbostratus
Nimbostratus

‎04-Sep-2022 04:30 - edited ‎04-Sep-2022 04:34

It appeared that after executing the below command:

  • openssl x509 -in root_cert.crt -text >> /config/ssl/ssl.crt/ca-bundle.crt

The root_cert was appended to the last line of the previously existing certificate:

-----END CERTIFICATE----- Certificate:

We had to insert a blank line between these to become as follows at which moment we could define successfully the client WSS certificate (client_cert):

-----END CERTIFICATE-----

blank_line

Certificate:

Regards,

.

View solution in original post

0 Kudos
1 REPLY 1

Go to solution
Mountazar
Nimbostratus
Nimbostratus

‎04-Sep-2022 04:30 - edited ‎04-Sep-2022 04:34

It appeared that after executing the below command:

  • openssl x509 -in root_cert.crt -text >> /config/ssl/ssl.crt/ca-bundle.crt

The root_cert was appended to the last line of the previously existing certificate:

-----END CERTIFICATE----- Certificate:

We had to insert a blank line between these to become as follows at which moment we could define successfully the client WSS certificate (client_cert):

-----END CERTIFICATE-----

blank_line

Certificate:

Regards,

.

0 Kudos
Copyright © 2023 Khoros, LLC