Manual Chapter : On-Demand Certificate Authentication

Applies To:

Show Versions Show Versions


  • 11.5.1
Manual Chapter

Overview: Requesting and validating an SSL certificate on demand

Typically, when a client makes an HTTPS request, an SSL handshake request occurs at the start of an SSL session. You can configure a client SSL profile to skip the initial SSL handshake and add the On-Demand certificate authentication agent to the access policy to re-negotiate the SSL connection later. Access Policy Manager can perform the certificate request and validation task that is normally performed by the target server, on demand.

Use the agent when you want to request and validate a certificate only after a user has already completed some other steps (logged on, gone through an authentication process, or anything else you require). Wherever you place the On-Demand authentication action in your access policy, it performs an SSL re-handshake.

You might want to use this agent, for example, if all employees must gain access to the network before only a few employees can gain access to servers with sensitive information.

Exchanging SSL Certificates

Before you can use On-Demand certificate authentication successfully, you must exchange certificates between clients and the BIG-IP system.

The client needs a valid certificate with which to respond to a certificate request. The BIG-IP system includes a self-signed certificate that you can export and install on the client. As an alternative to the self-signed certificate, you can import a certificate and corresponding key (issued by your organization CA) into the BIG-IP system and install that on the client.

The BIG-IP systems needs the client root certificate installed on it.


Creating a custom Client SSL profile

Configure a client SSL profile to skip the initial SSL handshake and thereby support Access Policy Manager (APM) to perform an SSL handshake on demand.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Client. The Client profile list screen opens.
  2. Click Create. The New Client SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. Select clientssl in the Parent Profile list.
  5. Scroll down to the Client Authentication area.
  6. Select the Custom check box for Client Authentication. The settings become available.
  7. For the Client Certificate setting, select ignore. When ignore is selected, the BIG-IP system skips the initial SSL handshake.
  8. For the Trusted Certificate Authorities setting, select a trusted certificate authority.
  9. Click Finished.

Adding On-Demand certificate authentication to an access policy

To successfully pass the On-Demand certificate authentication, the client browser must have a valid SSL certificate for the BIG-IP system.
Note: The client browser might stop responding if the client fails to provide a certificate. We strongly recommend that you add a Decision Box action in which you ask the user whether a valid certificate is installed and provide an option to not proceed to the On-Demand Cert Auth action when a valid certificate is not installed.
Add an On-Demand Cert Auth agent to an access policy to request and validate an SSL certificate anywhere in the session.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. In the Access Policy column, click the Edit link for the access profile you want to configure. The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) icon anywhere in the access policy to add a new action item. A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. Select the Authentication tab. The tab displays a list of authentication actions.
  5. Select On-Demand Cert Auth and click Add Item. A properties screen opens.
  6. From the Auth Mode list, select one of these:
    • Request This is the default mode.
    • Required For an iPod or an iPhone, you must select this mode. (You can select this mode for other clients as well.)
      Note: To pass a certificate check using Safari, you will be asked to select the certificate multiple times. This is expected behavior.
  7. Click Save. The properties screen closes and the visual policy editor displays.
  8. Click the Apply Access Policy link to apply and activate the changes to the access policy.
The On-Demand Cert Auth action is included and applied to the access policy.

Adding client-side SSL and access profiles to a virtual server

You associate the client SSL and access profiles with the virtual server so that the BIG-IP system handles client-side SSL traffic as specified, and so that Access Policy Managercan apply the access profile to incoming traffic.

  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. For the SSL Profile (Client) setting, from the Available list, select the name of the Client SSL profile you previously created, and using the Move button, move the name to the Selected list.
  4. In the Access Policy area, from the Access Profile list, select the access profile.
  5. Click Update to save the changes.
The access policy and client-side SSL profiles are now associated with the virtual server.