Forum Discussion

Kevin_48708's avatar
Kevin_48708
Icon for Nimbostratus rankNimbostratus
Nov 09, 2011

Can SAN certificates be used for Device certificates?

Hello

 

 

I'm attemting to apply 3rd party signed certificates as device certificates on a GTM and LTM deployment.

 

 

I have created a trust chain by concatenating the Root and Intermediate CA certificates and then importing this file into both the Trusted Server Certificates and Trusted Device Certificates stores. This appears to have been successful as the two certificates can be viewed in the GUI. I have also set the certificate depth for the gtmd and big3d daemons to 2. I have run bigip_add between the devices I'm attemting to establish communications between.

 

 

I then imported a SAN certificate as the Device Certificate.

 

 

When running iqdump I get the following output:

 

 

[root@xxx:Standby] config iqdump 192.168.13.38

 

32206:error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate:s3_pkt.c:1054:SSL alert number 43

 

---

 

Certificate chain

 

0 s:

 

i:/DC=mdc/DC=ppmanagement/CN=ALBxxx

 

-----BEGIN CERTIFICATE-----

 

***Deleted***

 

-----END CERTIFICATE-----

 

1 s:/DC=mdc/DC=ppmanagement/CN=ALBxxx

 

i:/CN=PP Root CA

 

-----BEGIN CERTIFICATE-----

 

***Deleted***

 

-----END CERTIFICATE-----

 

2 s:/CN=PP Root CA

 

i:/CN=PP Root CA

 

-----BEGIN CERTIFICATE-----

 

***Deleted***

 

-----END CERTIFICATE-----

 

---

 

Server certificate

 

subject=

 

issuer=/DC=mdc/DC=ppmanagement/CN=ALBxxx

 

---

 

Acceptable client certificate CA names

 

/CN=PP Root CA

 

/DC=mdc/DC=ppmanagement/CN=ALBxxx

 

---

 

SSL handshake has read 4219 bytes and written 4363 bytes

 

---

 

New, TLSv1/SSLv3, Cipher is AES256-SHA

 

Server public key is 1024 bit

 

SSL-Session:

 

Protocol : TLSv1

 

Cipher : AES256-SHA

 

Session-ID:

 

Session-ID-ctx:

 

Master-Key: ***Deleted***

 

Key-Arg : None

 

Compression: 1 (zlib compression)

 

Start Time: 1320834615

 

Timeout : 7200 (sec)

 

 

 

I get the following output when I attempt to verify the Device Certificate using the Trusted Device Certificate:

 

[root@xxx:Standby] config openssl verify -purpose sslclient -CAfile /config/big3d/client.crt /config/httpd/conf/ssl.crt/server.crt

 

/config/httpd/conf/ssl.crt/server.crt:

 

error 26 at 0 depth lookup:unsupported certificate purpose

 

OK

 

[root@xxx:Standby] config

 

 

The output seems to point to the fact that the Device Certificate is not supported. I just wondered if anyone had come accross this iss and been able to resolve it?

 

 

i.e. Has anyone implemented SAN certificates as Device Certificates?

 

 

Best Regards

 

 

Kevin

 

 

I have reviewed the following documents in my attempts to resolve the issue:

 

 

http://support.f5.com/kb/en-us/prod...r=17581566

 

http://support.f5.com/kb/en-us/solu...r=17581554

 

http://support.f5.com/kb/en-us/solu...l8195.html

 

http://devcentral.f5.com/Community/...fault.aspx

 

 

9 Replies

  • Dear All

     

     

    SAN certificates can be used for device certificates.

     

     

    There are a few requirements that must be met.

     

     

    1. The certificate chain for the root and any intermediate CA certificates must be loaded into the Trusted Device certificates, for use by the big3d daemon.

     

    2. The certificate chain for the root and any intermediate CA certificates must be loaded into the Trusted Server Certificates, for use by the gtmd daemon.

     

    3. The certificate chain for the root and any intermediate CA certificates needs to be saved into /config/httpd/ssl.crt/ for use by the httpd.

     

    4. The httpd daemon then needs to be informed where to find the CA certificate chain.

     

     

    Create CA chain

     

    If your certs are in .pem format then you can simply cut and paste them into a single file. I'm not sure if the order matters but I put the root CA cert at the top of the file and my intermediate CA below it. If you are familiar with the unix cli command cat you can do this from the command line on the bigip.

     

     

    Big3d

     

    From the GUI System >>> Device Certificates >>> Trusted Device Certificates >>> Import.

     

    At this stage I appended the certificate chain to the existing trusted certificates. You also have the option to replace beware this deletes all the existing trusted device certificates.

     

     

    Gtmd

     

    From the GUI Global Traffic >>> Servers >>> Trusted Server Certificates >>> Import. the same options to append or replace as with the Big3d process above.

     

     

    Httpd

     

    Use WinSCP or FileZilla etc to upload the CA certificate chain to /config/httpd/ssl.crt/

     

    From tmsh you need to instruct httpd to reference the CA certificate chain:

     

    ) modify sys httpd ssl-certchainfile /config/httpd/ssl.crt/your_ca_cert_chain.crt

     

    Not sure about bigpipe but it's something like:

     

    [root@xxx:Active] / b httpd sslcertchainfile /config/httpd/conf/ssl.crt/your_ca_cert_chain.crt

     

     

    Repeat this process on other GTMs and LTMs (excluding the gtmd part). restart big3d, gtmd and httpd. Check you results using iqdump.

     

     

    Best Regards

     

     

    Kevin

     

     

  • Hi

     

     

    How did you solve this problem ?

     

     

     

    I have followed all documentation, included the documentation provided in this topic, but I still avoir iqsh communication errors between GTM and LTM ...

     

     

     

    From the GTM :

     

    iqdump 10.0.20.253

     

    8096:error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate:s3_pkt.c:1054:SSL alert number 43

     

    ---

     

     

    [...]

     

    ---

     

    SSL handshake has read 1901 bytes and written 2061 bytes

     

    ---

     

    New, TLSv1/SSLv3, Cipher is AES256-SHA

     

    Server public key is 1024 bit

     

    SSL-Session:

     

    Protocol : TLSv1

     

    Cipher : AES256-SHA

     

    Session-ID:

     

    Session-ID-ctx:

     

    Master-Key: ....

     

    Key-Arg : None

     

    Compression: 1 (zlib compression)

     

    Start Time: 1323953942

     

    Timeout : 7200 (sec)

     

    Verify return code: 0 (ok)

     

    ---

     

     

     

     

    But GTM still cannot communicate with LTM.

     

     

     

    openssl verify -purpose sslserver -CAfile /config/httpd/conf/ssl.crt/ca_coreye.crt /config/httpd/conf/ssl.crt/server.crt

     

    /config/httpd/conf/ssl.crt/server.crt: OK

     

     

     

     

    Thanks in advance for your help ;)

     

  • And when I dump the traffic, I saw that the LTM is closing the connection with an Alert : Level: Fatal, Description : unsupported certificate.)

     

     

     

    Is GTM need a client certificate to communicate with LTM ? And if it's the case, where I can put it (in webgui or through SSH) ?

     

     

  • More and more test without understanding why SSL does not work for iqsh !

     

     

    openssl s_client -connect 10.0.20.253:4353 -showcerts -state -nbio

     

    CONNECTED(00000003)

     

    turning on non blocking io

     

    SSL_connect:before/connect initialization

     

    SSL_connect:SSLv2/v3 write client hello A

     

    SSL_connect:error in SSLv2/v3 read server hello A

     

    write R BLOCK

     

    SSL_connect:error in SSLv2/v3 read server hello A

     

    read:errno=104

     

     

    But why ? the certificate sent by the server is the same as for httpd, and my browser is getting no warnings when I connect through HTTPS :/

     

  • I have finally found, the certificate needs Client and Server extension .... that's pretty abnormal but it works !
  • Fabien, Can you clarify what your last post means....files need Client and Server need extension?
  • I had this problem too and I think what Fabien means is that the usage of the cert has to be both for client AND server. I was signing servers from our AD CA using the webserver template which only sets the usage to be for servers. This didn't work when using them on GTM\LTM's - to get this to work I had to use a template that allows for server and client usage. iQuery works fine now.