On Tue, Feb 27, 2018 at 01:12:32PM +0100, Brian Ipsen wrote: > > Hi > > I am trying to see if I can get stunnel to authenticate using a client > certificate towards a F5 setup - but I am having trouble getting it to work. > > Certificates are issued froma Microsoft PKI - where the F5 checks validity > via an OCSP responder. > > In my stunnel config file, I have: > > > [F5Cert] > client=yes > accept = 127.0.0.1:1598 > connect = F5test.xxx.dk:443 > delay = yes > CAFile = GlobalSign-cert-Chain.pem > Cert = BaaSClientCertificatePlain.pem > key = BaaSClientCertificatePlain.key > verify = 2 > > In the CAFile, I have the root CA and issuing certificate from GlobalSign - > which have created the SSL certificate being used on the F5 (server side). > > Cert and Key points to the certificate and private key from my internal > Microsoft based PKI.. But should the certificate chain from my internal PKI > be listed somewhere as well ?
I don't have any experience with Microsoft PKIs or with F5, but IMHO it is there - on the F5 SSL server - that both your internal root certificate and the intermediate chain should be configured. From what I've seen in a quick websearch, you can add a bundle (root + intermediates) to the F5 trusted store. If you have already done that and it doesn't work, maybe some logs might be useful to people who are more familiar with F5 - both stunnel client logs and any kind of logs that the F5 keeps. G'luck, Peter -- Peter Pentchev [email protected] [email protected] [email protected] PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
signature.asc
Description: PGP signature
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
