Manual Chapter : About Machine Cert Auth

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.0.0
Manual Chapter

About Machine Cert Auth

A Machine Certificate Auth action can check for the existence of fields in a machine certificate to ensure that Windows and Mac client systems comply with your security policy.
Client-specific requirements
Client
Description
Windows
The Machine Cert Auth action accesses the machine certificate private key; admin privilege is required to do this. A user that runs without admin privilege cannot successfully run this check unless the machine certificate checker service is installed on the machine. (The Machine Certificate Checker Service is available for inclusion in the Windows client package from the Secure Connectivity area of Access Policy Manager.)
Mac
The Machine Cert Auth action accesses the machine certificate private key. If the certificate is stored in a keychain other than user’s own keychain, such as the system keychain, then an ACL is required for non-admin  users to be able to access this private key.
The Machine Certificate Auth action provides the following configuration elements and options:
Certificate Store Name
Specifies the certificate store name that the action attempts to match. The certificate store can be a system store with a predefined name, such as MY, or a user-defined name. The store name can contain alphanumeric characters. The Machine Cert Auth action treats MY as the default store name for both Mac and Windows clients.
Certificate Store Location
Specifies the type and location of the store that contains the certificate, either the local machine or the current user. For a Windows client, the store locations are in the following registry locations:
  • LocalMachine
    When specified, the action searches in
    HKEY_LOCAL_MACHINE
    for the machine certificate.
  • CurrentUser
    When specified, the action searches in
    HKEY_CURRENT_USER
    for the machine certificate.
For a Mac client, the store locations are keychains in the following domains:
  • LocalMachine
    When specified, the action searches in the keychain specified in
    Certificate Store Name
    in the system preference domain.
  • CurrentUser
    When specified, the action searches in the keychain specified in
    Certificate Store Name
    in the user preference domain.
For a Mac client, the following examples apply.
  • If
    Certificate Store Name
    is set to
    System.keychain
    and
    Certificate Store Location
    is set to
    LocalMachine
    , the action searches for the machine certificate in
    /Library/Keychains/System.keychain
    .
  • If
    Certificate Store Name
    is set to
    login.keychain
    and
    Certificate Store Location
    is set to
    CurrentUser
    , the action searches for the machine certificate in
    /Library/Keychains/login.keychain
    and then searches for the machine certificate in
    /Users/username/Library/Keychains/login.keychain
  • If
    Certificate Store Name
    is set to
    MY
    then the action searches for the machine certificate in the default keychain of
    Certificate Store Location
    .
CA Profile
Specifies the certificate authority profile for the particular machine certificate.
Save Certificate in a session variable
Specifies
Enabled
or
Disabled
. When
Enabled
, specifies that the complete encrypted text of the machine certificate be saved in a session variable,
session.check_machinecert.<name>.cert.cert
.
Allow User Account Control right elevation prompts
Specifies
Yes
or
No
. When set to
Yes
, a UAC prompt for users with admin-level privileges is allowed. When set to
No
the UAC prompt for non-admin users is suppressed, which can cause a failure to verify the machine certificate. This setting does not affect users without admin-level privileges. If the Machine Certificate Checker Service is installed and
Allow User Account Control right elevation prompts
is set to
Yes
, the following scenarios occur:
  • Users with administrator privilege are prompted for UAC.
  • Standard users who use Machine Certificate Checker service will not be prompted for UAC.
  • Guest users who use Machine Certificate Checker service will not be prompted for UAC.
If the Machine Certificate Checker Service is installed and
Allow User Account Control right elevation prompts
is set to
No
, the following scenarios occur:
  • Users with administrator privilege are not prompted for UAC.
  • Standard users who use Machine Certificate Checker service will not be prompted for UAC.
  • Guest users who use Machine Certificate Checker service will not be prompted for UAC.
If you do not install Machine Certificate Checker Service and set
Allow User Account Control right elevation prompts
to
Yes
, the following scenarios occur:
  • Users with administrator privilege are prompted for UAC.
  • Standard users will fail to verify machine certificate.
  • Guest users will fail to verify machine certificate.
If you do not install Machine Certificate Checker Service and set
Allow User Account Control right elevation prompts
to
No
, the following scenarios occur:
  • Users with administrator privilege will fail to verify machine certificate.
  • Standard users will fail to verify machine certificate.
  • Guest users will fail to verify machine certificate.
Match Subject CN with FQDN
Specifies
Yes
or
No
. When set to
Yes
, specifies that the common name in the machine certificate matches the computer's fully qualified domain name (FQDN) such as,
CHR-L-SMITH2.MARKETING.SITEREQUEST.COM
.
Match subject Alt Name with FQDN
Specifies a regular expression used to extract content from the first subgroup matched in the Subject Alternative Name, and then to compare the extracted content with the machine's FQDN.
The order of RDNs is the same as is displayed; the required separator is a comma , .
Here are some examples of regex extraction.
  • Partial extraction. For example,
    .*DNS Name=([^,]+).*
    " or
    .*Other Name:Principal Name=([^,]+).*
    . For a regular expression
    .*DNS Name=([^,]+).*
    , the value of the DNS Name field is extracted for matching.
  • Whole extraction. Using
    (.*)
    specifies that the entire SubjectAltName content be extracted for matching.
Match Issuer
Specifies a regular expression that is used to match the Issuer content against the specified pattern.
The order of RDNs is the same as is displayed; the required separator is a comma , .
Here are some examples of regex extraction.
  • Partial match.
    CN=.*, OU=FP, O=F5, L=San Jose, S=CA, C=US
  • Exact match.
    E=test@f5.com, CN=f5clientrootcert, OU=es, O=f5, L=london, S=chertsey, C=uk
Match Serial Number
Specifies a serial number that must be an exact match for the certificate serial. The hex string must be specified in the same order as it is displayed by OpenSSL and Windows certificate tools. For example,
33:AA:7B:82:00:01:00:00:00:33
.