Forum Discussion

Janez's avatar
Janez
Icon for Nimbostratus rankNimbostratus
Nov 25, 2019

Client use certificate to autenticate to Server

Hello,

 

I have question how properly configure Client SSL profile and Server SSL profile on virtual server that client can autenticate to server which is behind F5.

I want to implement ASM policy on Vitrual server and look into traffic.

 

Which certificare I must use and where in configuration of profile.

 

Thanks,

 

Janez Persin

 

  • Janez's avatar
    Janez
    Icon for Nimbostratus rankNimbostratus

    Hello,

     

    Thanks for this but I don't now how I must configure Client SSL profile. Which certificat I must Use.

     

    Thanks,

    Janez

    • You can use whatever Client SSL profile you want, because when using Proxy SSL, this certificate is ignored:

       

      • BIG-IP copies same Server SSL/Back-end Server certificate to Certificate message sent to Client on client-side
        • BIG-IP completely ignores certificate you configured on Client SSL. It always uses the same server-side certificate.

       

      You should import the servers certificate and key:

       

      BIG-IP has an extra configuration requirement for Proxy SSL configuration (according to K13385) that you should add the same certificate/key present on the back-end server to Certificate/Key fields on Server SSL proxy of BIG-IP. This way BIG-IP can decrypt both client and server sides of connection.

  • Janez's avatar
    Janez
    Icon for Nimbostratus rankNimbostratus

    Hello,

     

    I understant the post but problem is that server use ECDHE ciphers and ciphers which use Perfect Forward Secrecy are not allowing such a decryption with SSL Proxy.

  • The best solution is to enable C3D feature...

     

    the bigIP have a CA signing client certificate with same properties as real client certificate.

     

    this feature is available starting with version 13.1