APM Certificate authentication - DENY for users who's cert subject does notmatch the regexp grab

Question

Trying to restrict certificate authentication for specific users - &nbsp;
Certificate Subject CN=lab.username - the 'lab.' is the unique piece.&nbsp;
I'm using this to grab the username in a variable assign:
regexp {(?x)(CN)=lab.([^,]+)} [mcget {session.ssl.cert.subject}] match CN USER; return $USER&nbsp;
IF a certificate not from lab comes across (CN=Username) I want to deny.&nbsp;
The sessions are coming in using clientless mode.  &nbsp;
I've tried a branch rule on the variable assign using the regexp as it appears above but it doesn't deny the CN=Username certificates.&nbsp;
Can I do a match on the certificate authentication for the "CN=lab." only and fail the rest?&nbsp;
thanks!&nbsp;

ruggerfly1 · Answer

Update - any feedback on this approach:&nbsp;
After the certificate Inspection I added an Empty box, it is using this expression:
expr { [mcget {session.ssl.cert.subject}] contains "lab" }, which catches the lower case "lab" in the full username, seems to be working.&nbsp;
Has anyone used this approach?&nbsp;

Forum Discussion

APM Certificate authentication - DENY for users who's cert subject does notmatch the regexp grab

1 Reply

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

can you help with getting a BigIP virtual edition serial key

VIP in https that redirect to another vip in https

In Using the AST tool am I pointing it to TENANTS or to the F5OS(hardware) I have?

2026 is Almost Here

VIP is not responding on SYN after enabling other modules like ASM, APM and AFM.

Related Content

Automating Certificate Management on F5 BIG-IP

APM Clientless certificate authentication

BIG-IQ Client Certificate (PKI) Authentication

Certificate Automation for BIG-IP using CyberArk Certificate Manager, Self-Hosted

Automating ACMEv2 Certificate Management on BIG-IP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS