[stunnel-users] Client cert auth ?
roam at ringlet.net
Tue Feb 27 16:14:43 CET 2018
On Tue, Feb 27, 2018 at 01:12:32PM +0100, Brian Ipsen wrote:
> I am trying to see if I can get stunnel to authenticate using a client certificate towards a F5 setup - but I am having trouble getting it to work.
> Certificates are issued froma Microsoft PKI - where the F5 checks validity via an OCSP responder.
> In my stunnel config file, I have:
> accept = 127.0.0.1:1598
> connect = F5test.xxx.dk:443
> delay = yes
> CAFile = GlobalSign-cert-Chain.pem
> Cert = BaaSClientCertificatePlain.pem
> key = BaaSClientCertificatePlain.key
> verify = 2
> In the CAFile, I have the root CA and issuing certificate from GlobalSign - which have created the SSL certificate being used on the F5 (server side).
> Cert and Key points to the certificate and private key from my internal Microsoft based PKI.. But should the certificate chain from my internal PKI be listed somewhere as well ?
I don't have any experience with Microsoft PKIs or with F5, but IMHO it
is there - on the F5 SSL server - that both your internal root
certificate and the intermediate chain should be configured. From what
I've seen in a quick websearch, you can add a bundle (root +
intermediates) to the F5 trusted store.
If you have already done that and it doesn't work, maybe some logs might
be useful to people who are more familiar with F5 - both stunnel client
logs and any kind of logs that the F5 keeps.
Peter Pentchev roam at ringlet.net roam at FreeBSD.org pp at storpool.com
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the stunnel-users