Forum Discussion

Cory_50405's avatar
Cory_50405
Icon for Noctilucent rankNoctilucent
Aug 13, 2012

SSL certificate authentication

We have a customer with a requirement to enable SSL certificate based authentication to their web server. They have only one certificate that they would like to be able to authenticate with. We also must terminate their SSL session, inspect (ASM), re-encrypt and pass along to the destination web server. Here's my proposed setup:

 

 

- create SSL client profile with the web server certificate for SSL termination, require client certificate authentication based on a trusted certificate authority that I create which will include the certificate which the client will present for authentication

 

- create SSL server profile with the web server certificate for SSL re-encryption, no authentication

 

 

Any authentication gurus out there know if this will work, or if it needs to/should be done a different way?

 

 

There's also another possible sticking point, which is passing the client certificate back to the destination web server. Is this a possibility?

 

5 Replies

  • - create SSL server profile with the web server certificate for SSL re-encryption, no authenticationif web server does not do client certificate authentication, default serverssl profile would work just fine.

     

     

    There's also another possible sticking point, which is passing the client certificate back to the destination web server. Is this a possibility?is this applicable?

     

     

    Insert Client Certificate In Serverside HTTP Headers

     

    https://devcentral.f5.com/wiki/iRules.InsertCertInServerHeaders.ashx
  • The web server will be doing client certificate authentication as well. There is a subset of internal users who will be accessing the web server and not going through the LTM, so certificate based authentication has to be done at the web server level. It's a strange setup, I know...

     

     

    That iRule should do the trick for the passing of the client certificate.
  • The web server will be doing client certificate authentication as well.so, certificate and key you have to set in serverssl profile is client one (not web server certificate and key) since bigip will act as client to present cilent certificate to web server for authentication.
  • If you need the web servers to receive the actual client certificate, you can look at the Proxy SSL feature added in 11.0.

     

     

    Release Note: BIG-IP LTM and TMOS version 11.0.0

     

    http://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote_11_0_0_ltm.html

     

     

    Proxy SSL Support

     

     

    This release provides Proxy SSL support in Client SSL and Server SSL profiles, which enables direct client-server authentication. You can find information about Proxy SSL in the Big-IP Local Traffic Manager: Implementations guide on AskF5. http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-1-0/15.html

     

     

    sol13385: Overview of Proxy SSL feature

     

    https://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.html

     

     

    Aaron
  • I'll give this Proxy SSL feature a shot and see how it goes. Thank you both for the information.