Forum Discussion
Kevin_K_51432
Historic F5 Account
Greetings Dirken,
I have no background with Windows server, but let me offer some background on BIG-IP, there may be some overlap in behavior?
If you wish to have a server-ssl profile to send a certificate, you must also include the key.
If you wish to have a client-ssl profile send a certificate you must:
- Import the certificate and key.
- Associate the certificate and key with the client-ssl profile.
- Associate the profile with a virtual server.
So in summary, perhaps try importing the accompanying key and ensure whatever service (IIS?) is configured to reference the certificate and key.
Good luck, hope you get this resolved soon!
Kevin
dirken
Jun 06, 2017Nimbostratus
Hi Kevin,
the server side is fine, my problem is the client side. The clients connecting to the VS, however, are Windows2016 servers - maybe this created a bit of confusion.
I did not import the specific cert/key because there are several clients (Win2016) connecting to this VS. So I imported the cert of the issuing (root) ca. This cert is referenced in the client ssl profile for client authentication as trusted ca and advertised ca.
If the ca cert was not present, the config would not even save correctly, so this should be fine. I am pretty sure it is one of two possible issues:
1 - a general problem on the client (Win2016 server)
2 - a problem with cert choice on the client, as there is no user initiating the connection a popup to chose a cert will not work. It is the only cert on the client, however, and I am advertising the accepted ca exactly for this purpose.