On Tue, Feb 27, 2018 at 01:12:32PM +0100, Brian Ipsen wrote:

Hi

I am trying to see if I can get stunnel to authenticate using a client certificate  towards a F5 setup - but I am having trouble getting it to work.

Certificates are issued froma Microsoft PKI - where the F5 checks validity via an OCSP responder.

In my stunnel config file, I have:

[F5Cert] client=yes accept = 127.0.0.1:1598 connect = F5test.xxx.dk:443 delay = yes CAFile = GlobalSign-cert-Chain.pem Cert = BaaSClientCertificatePlain.pem key = BaaSClientCertificatePlain.key verify = 2

In the CAFile, I have the root CA and issuing certificate from GlobalSign - which have created the SSL certificate being used on the F5 (server side).

Cert and Key points to the certificate and private key from my internal Microsoft based PKI.. But should the certificate chain from my internal PKI be listed somewhere as well ?

I don't have any experience with Microsoft PKIs or with F5, but IMHO it is there - on the F5 SSL server - that both your internal root certificate and the intermediate chain should be configured. From what I've seen in a quick websearch, you can add a bundle (root + intermediates) to the F5 trusted store.

If you have already done that and it doesn't work, maybe some logs might be useful to people who are more familiar with F5 - both stunnel client logs and any kind of logs that the F5 keeps.

G'luck, Peter