F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IP Access Policy Manager: Visual Policy Editor
  3. Access Policy Item Reference
  4. About endpoint security client-side items
  5. About Machine Cert Auth
Manual Chapter : About Machine Cert Auth

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.0.1, 15.0.0
Manual Chapter

About Machine Cert Auth

A Machine Certificate Auth action can check for the existence of fields in a machine certificate to ensure that Windows and Mac client systems comply with your security policy.
Client-specific requirements
Client
Description
Windows
The Machine Cert Auth action accesses the machine certificate private key; admin privilege is required to do this. A user that runs without admin privilege cannot successfully run this check unless the machine certificate checker service is installed on the machine. (The Machine Certificate Checker Service is available for inclusion in the Windows client package from the Secure Connectivity area of Access Policy Manager.)
Mac
The Machine Cert Auth action accesses the machine certificate private key. If the certificate is stored in a keychain other than user’s own keychain, such as the system keychain, then an ACL is required for non-admin  users to be able to access this private key.
The Machine Certificate Auth action provides the following configuration elements and options:
Certificate Store Name
Specifies the certificate store name that the action attempts to match. The certificate store can be a system store with a predefined name, such as MY, or a user-defined name. The store name can contain alphanumeric characters. The Machine Cert Auth action treats MY as the default store name for both Mac and Windows clients.
Certificate Store Location
Specifies the type and location of the store that contains the certificate, either the local machine or the current user. For a Windows client, the store locations are in the following registry locations:
  • LocalMachine
     When specified, the action searches in
    HKEY_LOCAL_MACHINE
     for the machine certificate.
  • CurrentUser
     When specified, the action searches in
    HKEY_CURRENT_USER
     for the machine certificate.
For a Mac client, the store locations are keychains in the following domains:
  • LocalMachine
     When specified, the action searches in the keychain specified in
    Certificate Store Name
     in the system preference domain.
  • CurrentUser
     When specified, the action searches in the keychain specified in
    Certificate Store Name
     in the user preference domain.
For a Mac client, the following examples apply.
  • If
    Certificate Store Name
     is set to
    System.keychain
     and
    Certificate Store Location
     is set to
    LocalMachine
    , the action searches for the machine certificate in
    /Library/Keychains/System.keychain
    .
  • If
    Certificate Store Name
     is set to
    login.keychain
     and
    Certificate Store Location
     is set to
    CurrentUser
    , the action searches for the machine certificate in
    /Library/Keychains/login.keychain
     and then searches for the machine certificate in
    /Users/username/Library/Keychains/login.keychain
  • If
    Certificate Store Name
     is set to
    MY
     then the action searches for the machine certificate in the default keychain of
    Certificate Store Location
    .
CA Profile
Specifies the certificate authority profile for the particular machine certificate.
Save Certificate in a session variable
Specifies
Enabled
 or
Disabled
. When
Enabled
, specifies that the complete encrypted text of the machine certificate be saved in a session variable,
session.check_machinecert.<name>.cert.cert
.
Allow User Account Control right elevation prompts
Specifies
Yes
 or
No
. When set to
Yes
, a UAC prompt for users with admin-level privileges is allowed. When set to
No
 the UAC prompt for non-admin users is suppressed, which can cause a failure to verify the machine certificate. This setting does not affect users without admin-level privileges. If the Machine Certificate Checker Service is installed and
Allow User Account Control right elevation prompts
 is set to
Yes
, the following scenarios occur:
  • Users with administrator privilege are prompted for UAC.
  • Standard users who use Machine Certificate Checker service will not be prompted for UAC.
  • Guest users who use Machine Certificate Checker service will not be prompted for UAC.
If the Machine Certificate Checker Service is installed and
Allow User Account Control right elevation prompts
 is set to
No
, the following scenarios occur:
  • Users with administrator privilege are not prompted for UAC.
  • Standard users who use Machine Certificate Checker service will not be prompted for UAC.
  • Guest users who use Machine Certificate Checker service will not be prompted for UAC.
If you do not install Machine Certificate Checker Service and set
Allow User Account Control right elevation prompts
 to
Yes
, the following scenarios occur:
  • Users with administrator privilege are prompted for UAC.
  • Standard users will fail to verify machine certificate.
  • Guest users will fail to verify machine certificate.
If you do not install Machine Certificate Checker Service and set
Allow User Account Control right elevation prompts
 to
No
, the following scenarios occur:
  • Users with administrator privilege will fail to verify machine certificate.
  • Standard users will fail to verify machine certificate.
  • Guest users will fail to verify machine certificate.
Match Subject CN with FQDN
Specifies
Yes
 or
No
. When set to
Yes
, specifies that the common name in the machine certificate matches the computer's fully qualified domain name (FQDN) such as,
CHR-L-SMITH2.MARKETING.SITEREQUEST.COM
.
Match subject Alt Name with FQDN
Specifies a regular expression used to extract content from the first subgroup matched in the Subject Alternative Name, and then to compare the extracted content with the machine's FQDN.
The order of RDNs is the same as is displayed; the required separator is a comma , .
Here are some examples of regex extraction.
  • Partial extraction. For example,
    .*DNS Name=([^,]+).*
    " or
    .*Other Name:Principal Name=([^,]+).*
    . For a regular expression
    .*DNS Name=([^,]+).*
    , the value of the DNS Name field is extracted for matching.
  • Whole extraction. Using
    (.*)
     specifies that the entire SubjectAltName content be extracted for matching.
Match Issuer
Specifies a regular expression that is used to match the Issuer content against the specified pattern.
The order of RDNs is the same as is displayed; the required separator is a comma , .
Here are some examples of regex extraction.
  • Partial match.
    CN=.*, OU=FP, O=F5, L=San Jose, S=CA, C=US
  • Exact match.
    E=test@f5.com, CN=f5clientrootcert, OU=es, O=f5, L=london, S=chertsey, C=uk
Match Serial Number
Specifies a serial number that must be an exact match for the certificate serial. The hex string must be specified in the same order as it is displayed by OpenSSL and Windows certificate tools. For example,
33:AA:7B:82:00:01:00:00:00:33
.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information