How to configure BIG-IP to accept client certs from multiple CAs to the same VS

impossible, since it would mean associating multiple profiles to a VIP.

I think you can concatenate multiple CA certificates in a bundle and configure the client SSL profile to use the cert bundle as the trusted client CA's option. Here is a snippet from the 9.3 config guide:

 

 

 

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip9_3config/BIG_IP_LTM_9_3_Config_Guide-10-1.html

 

 

Specifying trusted client CAs

 

 

For client-side SSL processing, you can configure an SSL profile to verify certificates presented by a client or a server. Using the Trusted Certificate Authorities setting, you can specify a client trusted CAs file name, which the BIG-IP system then uses to verify client or server certificates. If you do not configure a trusted CAs file, the profile uses a default file.

 

 

The trusted CAs file that you specify for certificate verification contains one or more certificates, in Privacy Enhanced Mail (PEM) format. Built manually, this file contains a list of the client or server certificates that the SSL profile will trust. If you do not specify a trusted CAs file, or the specified trusted CAs file is not accessible to the BIG-IP system, the system uses the default file name.

 

 

 

 

You'll probably want to configure the same cert bundle in the 'Advertised Certificate Authorities' section as well.

 

 

Aaron

As usual, Aaron is completely right, I have done this many times, you just have to copy the contents including the ===beginning=== and ===end== of each cert and past it into a single file then associate that within your profile (SSL Profile (Client)).

 

 

I initially thought you wanted to support multiple sites with a single virtual.

Aaron

 

Thanks a lot. I had some trouble copying & pasting the certs into a single file. Are there any other tools/ways to create a cert bundle

 

 

Tony

Are you having problems with Windows line terminators being different from Linux? Windows using CR and LF while *nix uses LF.

 

 

If you are familiar with vi or pico you could do this on the BIG-IP command line. Else, you could use a Windows text editor that supports *nix line feeds. Notepad++ (Click here) is opensource and should work.

 

 

Or you can remove the carriage returns from the Windows file using sed:

 

 

sed 's/^M$//' input.txt > output.txt

 

 

Aaron

... do

 

cat servercert1.pem1 servercert2.pem... >> certBundle.crt

 

 

or

 

 

cat servercert* >> certBundle.crt

I know this is an old thread, but hoping maybe someone can chime in. I am attempting to get this working on Version 10.2.1. I was able to create the cert bundle and the key bundle, and a new profile using these bundles. I dont see any errors anywhere. But when I access the site from a browser, it seems that the browser only sees the first cert that I imported into the bundle. Is there anything else I need to do to get it show both?

 

Thanks.

 

Steve

You can't specify multiple server certificates this way. So just that we're clear, this thread is about accepting client certificates from multiple CAs. That's accomplished by adding all of the CA public certificates to a text file and applying that to the Trusted Certificate Authorities drop down of the client SSL profile. You can optionally use this "bundle" in the Advertised Certificate Authorities drop down, or tailor it so that only specific certificate choices are shown in the client browser.

 

 

To allow a virtual server to present multiple server certificates, as I assume you're attempting, you have a few choices:

 

1. Wildcard or SAN certificates - certificates that allow for multiple FQDNs (usually very expensive)

 

2. TLS SNI, or "Server Name Indicator" - an extension to the TLS profile that allows the BIG-IP to "switch" between server certificates based on the hostname the browser is asking for. In version 10 this can be accomplished with an iRule:

 

 

https://devcentral.f5.com/tutorials/tech-tips/multiple-certs-one-vip-tls-server-name-indication-via-irules

 

 

In version 11 it's incorporated into the SSL profile.