Client cert auth, more than advertised CA filtering?

Question

We currently use client cert auth using smart cards at my organization. There is a push to move from one CA's certificates to another CA's certificates. There are 3 certificates on each smart card, one from one CA, and two from the other CA.

The current CA that we are using to authenticate, there is one certificate issued to users on their smart card. The other CA has two certificates issued to it on the user's smart cards.

This new order states that we need to use ONE specific certificate from the CA that the users have two certs for.

Currently, our setup is to use the advertised CA in the client SSL profile and just use APM to prompt the user, they pick the one cert and authenticate with it.

With is migration, I'm having an issue trying force use of a specific certificate from the CA that the users have two certificates for. The only difference I've seen is that the certificate we want to use has a certain format on the serial number. Like the serial number ends with "a".

I guess my question really comes down to: is there any way for me to filter the certificate prompt any deeper than the advertised CA in the client cert profile?

stanislas_piro2 · Answer

you Should request the IETF to add such filter in tls specifications...

in tls 1.2, section 7.4.4, the certificate request message structure is the following

struct {

ClientCertificateType certificate_types<1..2^8-1>;

SignatureAndHashAlgorithm

supported_signature_algorithms<2^16-1>;

DistinguishedName certificate_authorities<0..2^16-1>;

} CertificateRequest;

F5 can’t send client more information than described in this message

action_- · Answer

Thank you for your answer and the reference.

I'll have to report back up the chain that we can't restrict what the server requests for client cert any more granularly than the advertised CA.

action_- · Answer

&nbsp; wondering if you know any secret f5 magic on this one or are familiar with the new cert client auth requirements from the DoD?

kevin_stewart · Answer

Quick answer is no, but also that's it's not something that the F5 can control anyway. A server can hint to the client on which certs it can select from, which is what the Advertised list does, but ultimately it's up to the client to perform said filter, and per the RFC it's only based on issuer information.

Might I inquire, the CA that issues two of the certs on the smart card, are they both identity certs (keyUsage contains "Client Authentication"), or is one of these an (email) encryption certificate?

action_- · Answer

They are both "identity certs", the old cert has a Key usage of Digital Signature, Non-Repudiation and no Enhanced Key usage.

The new cert that has been mandated for authentication is Digital Signature with Enhanced Key usage of Smart Card Login, Client Authentication.

There has been a mandate for web application owners to only be able to authenticate using this new certificate by early next year, and in some of the documentation it can be construed that you cannot allow the other certificates that have been issued by the same CAs.

And of course with the contact info that they give you, no one responds.

Forum Discussion

Client cert auth, more than advertised CA filtering?

5 Replies

Recent Discussions

Need advise to setup a policy on F5

Advise on setting up IRULE

Help with URL Masking

Import PKCS 12 SSL to Device Certificate via API/Script or CLI on BIG-IP

F5 iRule to replace host to path

Related Content

Cipher suite mismatch advertisement/warning

BGP stops advertising after upgrade

Enhance your Application Security using Client-side signals

iRule based RADIUS Client Stack

BGP - filtering kernel redistribution