Two-way SSL authentication with self-signed client certificate

Question

Hi, we're trying to implement a two-way SSL authentication against one of our virtual servers.&nbsp;
We have a certificate for our virtual server, which is signed by a CA and is working just as expected.&nbsp;
However, we don't want to let anyone connect to this virtual server unless we are presented with a client side SSL certificate.&nbsp;
The challenge we're facing is that, this client side certificate is self-signed. So, when the client connects, the F5 cannot validate the certificate and our connection cannot be established.&nbsp;
Just to get some things out of the way:&nbsp;
We only have the certificate and we cannot get the key for the client side certificate.We cannot upload or CA certificate or key to the other side where the connections are coming from.
I would like to know:&nbsp;
Is there any way to tell the F5 to trust this certificate? If so, how?I read, somewhere, that we can just set the mode to request and then add an iRule to validate the certificate. Is that possible?
I would appreciate any help on this matter.&nbsp;
Thanks&nbsp;

cory_50405 · Answer

Is the certificate needed on the backend server for authentication?  If so, then you could enable proxy SSL within the client and server SSL profiles assigned to your virtual server.  This will enable the client certificate to be passed along to the web server.  Since you mention this is two-way SSL, I suspect the server is still doing the authentication piece.&nbsp;
http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.html&nbsp;

sebas_82058 · Answer

No, the backend doesn't even need to know about this. We just need the load balancer to validate connections are coming only from the sources we trust.&nbsp;
It's similar to this, however, the CA piece is the one I am having problems with:&nbsp;
https://devcentral.f5.com/questions/2-way-ssl-implementation-25325&nbsp;

sebas_82058 · Answer

I finally implemented this via an iRule that will do the work. Not the most beautiful solution, but it serves the purpose given the limitations on the client side.&nbsp;

neeraj_jags_152 · Answer

I need help&nbsp;

neeraj_jags_152 · Answer

I configured as per two way auth in F5 LB LTM ver 11.x as per below: - 
 Client side SSL configured 
 Server side SSL configured with key &amp; cert and same key and cert are exist on pool member server.&nbsp;
Only server side SSL auth is working but Client auth is not working:- 
take this way.
Client shared a open.ssl self signed certificate let say client_cert.cer I have imported client_cert.cer in F5. then When I configuring the SSL Client Profile, I selected the client_cert.cer in drop down box of Trusted Certificate Authorities :-- .. is this configuration TRUE, or will I need the different CA certificate from client&nbsp;

Forum Discussion

Two-way SSL authentication with self-signed client certificate

8 Replies

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

APM Clientless certificate authentication

BIG-IQ Client Certificate (PKI) Authentication

Changing self-signed device certificate impact

Doing mTLS Authentication per URL