APM SSL_VPN Certificate Check Failing

Question

Some of our Corporate laptops have multiple local machine Certificates from the same CA installed on them. We are using these certificate to verify that it is a Corporate device when attempting to establish a VPN tunnel in via APM.&nbsp;
We are getting the error message "X509_verify_cert failed: error : 10 at depth 0, error message:certificate has expired" because the APM is finding the expired cert and not the new one on the laptop. Is there anyway to tell the APM to keep checking the LoaclMachine store location for the second Certificate? We are trying to find a work around until our Support team can remove the expired Certs from all the laptops.&nbsp;

seth_cooper · Answer

Unfortunately there isn't much you can do from the APM side other than try to narrow it down to only find the valid search by looking for the issuer (which I assume will match both).  APM will find the first certificate that matches the criteria in the VPE Action options and then test that certificate.  If the expired certificate is found first then the process will error as that certificate is expired.&nbsp;
Would the certificates possibly be issued by a different CA?  If so then you can limit the scope of the search.&nbsp;
If not it appears you need to advise your users to delete the expired certificate if they have issues.&nbsp;
Seth&nbsp;

thexfactor82_91 · Answer

Unfortunately they are issued by the same CA.&nbsp;

Forum Discussion

APM SSL_VPN Certificate Check Failing

2 Replies

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

Automating ACMEv2 Certificate Management on BIG-IP

Re: Management Certificate

Automate Let's Encrypt Certificates on BIG-IP

My Security+ Certification Journey

F5 Certifications Mega Meta Series: Congratulations, you have failed!