Forum Discussion
Josiah_39459
Historic F5 Account
You just need to add the CA bundle for the signer of your client certs. It's in a different section and completely independent of the server/vip cert.
If you want to force the clients to send their client certs, then yes, you need Require.
Josiah_39459
Mar 22, 2016Historic F5 Account
I'm confused. Have you ever done client certification in any environment? I am mostly explaining how it works on F5, with the assumption you understand the general process. However, much of what you write is confusing to me. Let's try a more basic approach.
-----------------------------------------------------------
Speaking generally, client certs are valid if they are signed by a signer you trust and they haven't expired. You want to trust clients with these certs usually because YOU (your domain controller) or someone you trust (parent/partner/sibling company) gave them these certs. Often not manually, but some automated process where they request a cert from some cert server under your administration and then install that cert on their "company" device.
-----------------------------------------------------------
If you want to trust certs from multiple signers, no problem, just bundle all the signer's certs into your CA bundle. You should have these certs or get them easily, because they are the certs used by the cert server that issues the clients their certs.