Forum Discussion
Rafa_Ayala
Nimbostratus
Thanks Piotr
I have 2 problems:
followed the solution: https://support.f5.com/kb/en-us/solutions/public/14000/400/sol14499.html
and step:
Applying the certificates and keys to a Client SSL profile
when I create the ssl profile:
create / LTM ssl client-profile (profile name) ca-file cert.crt clientCA-client-cert-ca cert clientCA-cert.crt client1.crt client1.key key peer-cert-mode requires
there is an error:
010717e3: 3: Client profile must have RSA SSL certificate / key pair.
I understand that when I follow this solution, set up an CA and signed certificates, I wonder if I can issue one certificate for client authentication and one for the public IP or URL I have in the VS
thanks
dragonflymr
May 28, 2015Cirrostratus
Hi,
I can't help you with finding error in tmsh command - never used it to set clientssl profile. Considering GUI setup for profile requiring client certificate based authentication my findings are:
In Configuration part of profile certificate and private key (with chain if necessary) is set - this is cert and key that server is using to prove it's identity and generate bulk encryption key (pre master secret, then master key). It is completely separate cert and key from the one client is using.
Client cert can be signed by completely different CA than server cert (for example server cert can be self signed but client cert signed by some well know CA or private CA of the company).
Client cert and key has to be installed on client workstation and browser, it is used by client to prove that he is what he claims he is, server cert and key is to allow server to prove that he is who he claims he is (and of course server cert is necessary to encrypt traffic, client cert or key is not used for that at all)
Notice that only thing you need to set in Client Authentication section of the clientssl profile is CA/CAs that server trust. CA that signed client cert has o be one of the CAs defined in this cert/chain cert set here. Advertised Certificate Authorities is not so important, it can be set but is not necessary to perform successful client certificate based authentication.
I advice to use Wireshark to trace SSLHandshake to understand and troubleshoot errors.
Great resource to read is this article series https://devcentral.f5.com/articles/ssl-profiles-part-1 - I learned lot here and it helped me to figure out how to configure profile and how to troubleshoot issues.
Piotr