troubleshooting serverssl profile with client cert..
Hi all! We have a virtualserver with a serverssl profile configured with a client cert. According to the technician working with the backend nginx node they´re not getting the client cert. Does anyone know a good way for us to verify that the cert is there or not? Would a tcpdump be sufficient? /KimSecurity Certificate Inventory and Management
Hello! Several years ago, I was tasked with oversight for our security certificate inventory and management after we encountered unintended outages because no change management was in place to insure everyone was on the same page. Our change management process is considerably better as we're using actual change requests instead email. 😃 Our previous security certificate inventory was a privately held spreadsheet by the person managing most of our certificate renewals and update. If our Nagios admin cannot configure an alert to check a cert, we're at risk of missing a certificate expiration. We have self signed certificates as well as certificates purchased from vendors. We're now relying on report from Nagios based on certificate checks configured by our Nagios admin. This data goes into Splunk and I receive a weekly report with certificate data. I'm using a MS Team channel that includes systems admins as well as database and application development resources. I alert the group when a certificate or certificates are expiring in 30 days. I've been told that no certificate renewals can be done more than 30 days prior to expiration. In short, I nag until someone submits a change request with a scheduled maintenance window to update the certificate(s) prior to expiration. Although our current process is much better than when I first became involved, improvement is needed so I'm asking for suggestions/recommendations. What security certificate inventory management solutions are you using? What are your security certificate management processes? Thank you! Jodi
Deleting Old Certs
Good day, I know there has been threads on this but none of them have what I am looking for, here is some background on what is going on. We had to upgrade our F5 to 15.1.8, now prior to upgrading we had a few certs that expired, so the thought was lets do the upgrade first then we can remove the expired ccerts. But after the upgrade we attempted to remove the certs first via the GUI System => Certificate Management => searched for expired Cert and checked the box => and clicked on delete but that didn't do anything still there So I tried the command line delete sys file ssl-cert <Cert name> but same results. How do I remove these old certs? Where besides /Common are these files stored? Thank you in advance! WarrenLTM v13: Certificate Archive does not work
Hi all, Anyone who got this to work? https://support.f5.com/csp/article/K146208 I have v13.1.0.2 and try to export certificates as a *.tgz but I get the following error: Key management library returned bad status: -99, Internal Error; connection not set and no session from which to get it So it is not possible to export the certs anymore 😞 Any hints are welcome! Thanks, Peter
TFS Load balancing using 2 LTM and a GTM. Where to install the certificate?
I have a 2 app server (IIS) TFS infra, where i have configured 2 LTM and a GTM. Everything seems to be working fine, other than the GTM url is not secured. My question is, where do i install the certificate? is it in the IIS server where the application is running or somewhere in GTM? do i need the cert to contain all the cnames into it as alaises?CRYPTO::encrypt import key or cert from SSL Certificate List
Hello, I use the CRYPTO::encrypt funktion an it works very well. But it is needed to write the private key in the iRule. If there a way to import the private key or certificate direct from "SSL Certificate List" or read in as file? Thanks for your help.
Validating SSL certificate
I am doing some certificate validations, 1. I need to validate the client is presenting a certificate, I realize I can require it in the clientssl profile, but I have no log entry if I get a failed request. So I would like to do this in the irule that does the other validations based on the subject_dn, 2. I am having trouble finding information on some sample rule commands, what is: [SSL::cert 0] also is SSL::cert count - what is that counting? 3. Do I want to evaluate this at CLIENTSSL_HANDSHAKE or CLIENTSSL_CLIENTCERT Also this is not HTTP traffic.
character limit f5 subject alternative name
Guys I am having issue creating .csr in f5. Do we have limit on character for Subject Alternative names? we have 1111 characters including spaces on Subject alternative name however it has an error " error occurred while processing your request". But when I delete few domains about 2 it was successful :( Please help Thanks
