The BIG-IP® system supplies a default certificate and a
ca-bundle.crt file that includes all well-known public
certificate authority (CA) certificates for client-side processing. Before you create a
client SSL profile, you might want to configure a trusted certificate to use for
client-side processing. To verify certificate revocation status, you must have obtained
a certificate revocation list (CRL) and imported it to the SSL Certificate List.
You create a custom client SSL profile to request an SSL certificate from the
client at the start of the session. This enables a Client Cert Inspection item in an
access policy to check whether a valid certificate was presented.
-
On the Main tab, click .
The Client SSL profile list screen opens.
-
Click Create.
The New Server SSL Profile screen opens.
-
In the Name field, type a unique name for the
profile.
-
From the Parent Profile list, select
clientssl.
-
Scroll down to the Client Authentication area.
-
Select the Custom check box for Client
Authentication.
The settings become available.
-
From the Client Certificate list, select request.
Alternatively, select require; however, if you do, the
user must provide a valid client certificate or the connection is not
allowed.
-
Optional:
If you imported a CRL, select it from the Certificate Revocation
List (CRL) list.
If you are using this client SSL profile in conjunction with an access policy
that performs OCSP Responder authentication or CRLDP authentication, do not
select a CRL.
-
Click Finished.
To put this client SSL profile into effect, select it in a virtual server that is
configured to accept HTTPS traffic.