Forum Discussion

Subrun's avatar
Icon for Cirrostratus rankCirrostratus
Feb 24, 2022

Queries related to F5 Certificate Based Authentication.

Hello all and Rodrigo_Albuque 

I need some help as below.

Refer to below I have some questions.

I need to allow 2 client to access one web applicaiton hosted at my F5. And for those 2 client I want to allow certificate based authtication.

At the Trusted Certificate Authorities, should I concetanate Root and Intermediate Cert of a Client Cert. And Client Cert should be at the Client Machine who will try to access my application.

and what will be the client cert ? is it provdied by my client or me ? I mean what will the CN Name for a Client Cert ?


3 Replies

  • Hey Subrun, thanks for your question. You need the CA certificate that signed the client certificate to be present in the Trusted Certificates Authority file, not the client certificate itself. Remember that this file will have a lot of CAs that are usually trusted by browsers. Also, the same CA certificate can optionally be added to Advertised Certificate Authorities so it can inform the client that it is looking for a certificate that was signed by "this" CA.

    The client certificate should be in the client machine and should be sent to BIG-IP during the TLS handshake. The CN or Subject Alt Name for a client certificate it is up to you. You can set it to a hostname to identify the machine or something that uniquely identifies the application. The hostname is the more common use I've seen out there. 

    If you're not familiar with the process, I'll give you a brief overview. Normally, you will create a key and a CSR (Certificate Signing Request) using the tool of your choice (e.g. OpenSSL). Then, you present the CSR to an official CA (e.g. Verisign, etc) and they will sign it and "convert" it to a "CRT" file. Then, you append the CA that signed your request to the Trusted Certificate Authority file. Once the Client Certificate is sent by your Application, BIG-IP should be able to validate such certificate as long as you enable the settings described in my article.

    Hope it helps.


  • Hi Subrun, apologies for the delayed reply but I wasn't feeling very well in the last couple of days. BIG-IP will return the client certificate as valid if it's signed by one of the CAs in your Trusted Certificate Authorities file. If you need to restrict access to your specific certificate, you need to use iRules. Here's an example:

    Also, note that you don't have to sign your cert by a Public CA. You can create your own self-signed CA, create your client certificate and sign it with your self-signed CA. and then you can add your self-signed CA that signed your client certificate to Trusted Certificate Authorities. It works as well.

  • Subrun's avatar
    Icon for Cirrostratus rankCirrostratus

    Hello Rodrigo_Albuque 

    I am very happy that you replied.

    One quick question, for example i have a public web applciation hosted at my public F5  and i am trying to set this--  Cert based auth  . As you wrote in article , plan is to sign a cert by a Public CA and give it to a Client to use at their browser to use so that Client can initiate Cert Based Auth request to my F5 VIP.

    Question, in F5 settings we are calling Trusted CA Cert  ( Intermediate Cert and Root Cert ) which certified the Client Cert , and that Trusted Cert also certified some other Client Certs for different different companies in that case all other client cert certified by same Trusted Cert Auth will be able to access my F5 application ?