[stunnel-users] Client cert auth ?

Tue Feb 27 16:14:43 CET 2018

On Tue, Feb 27, 2018 at 01:12:32PM +0100, Brian Ipsen wrote:
> 
> Hi
> 
>  I am trying to see if I can get stunnel to authenticate using a client certificate  towards a F5 setup - but I am having trouble getting it to work.
> 
> Certificates are issued froma Microsoft PKI - where the F5 checks validity via an OCSP responder.
> 
> In my stunnel config file, I have:
> 
> 
> [F5Cert]
> client=yes
> accept = 127.0.0.1:1598
> connect = F5test.xxx.dk:443
> delay = yes
> CAFile = GlobalSign-cert-Chain.pem
> Cert = BaaSClientCertificatePlain.pem
> key = BaaSClientCertificatePlain.key
> verify = 2
> 
> In the CAFile, I have the root CA and issuing certificate from GlobalSign - which have created the SSL certificate being used on the F5 (server side).
> 
> Cert and Key points to the certificate and private key from my internal Microsoft based PKI.. But should the certificate chain from my internal PKI be listed somewhere as well ?

I don't have any experience with Microsoft PKIs or with F5, but IMHO it
is there - on the F5 SSL server - that both your internal root
certificate and the intermediate chain should be configured.  From what
I've seen in a quick websearch, you can add a bundle (root +
intermediates) to the F5 trusted store.

If you have already done that and it doesn't work, maybe some logs might
be useful to people who are more familiar with F5 - both stunnel client
logs and any kind of logs that the F5 keeps.

G'luck,
Peter

-- 
Peter Pentchev  roam at ringlet.net roam at FreeBSD.org pp at storpool.com
PGP key:        http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20180227/ad0ddc97/attachment.sig>