APM: selecting clientssl profile based on client certificate

Hi All,

 

I am using a self signed CA to provide client authentication for APM.

 

We have recently swapped to a new CA and need to retire the old CA.

 

The issue I have is that in order to cutover from the old CA to the new CA, both CA's need to authenticate clients in the APM module (On Demand Certificate Authentication) at the same time.

 

The flow I would like to create would look something like this: - On the on demand cert auth in APM, the CA issuer of the client (user certificate) is identified. This irule variable should do the trick: [X509::issuer [SSL::cert 0]] - Based on the result the clientssl profile, including CRL, for the associated CA is used for authentication. This will mean applying to the LTM virtual server

 

To complicate matters I have SNI enabled on the virtual servers.

 

I have seen irules that could be reworked if this was an ltm only issue, for example https://devcentral.f5.com/questions/modifying-http-header-on-the-basis-of-ssl-certificate and https://devcentral.f5.com/questions/client-ssl-cert-irule could be modified, however APM is requesting and validating the client certificate so linking that back to the ltm policy is slightly harder (Apple devices connecting so doing the auth on the ltm is an unpleasant user journey - Don't want users getting prompted for a certificate constantly). Also irule prompts like CLIENTSSL_CLIENTCERT and CLIENTSSL_HANDSHAKE do not respond with the [X509::issuer [SSL::cert 0]] variable in ltm. These are only picked up in the APM, which puts the cart before the horse so to speak as ltm sets these before apm is envoked as far as I can tell.

 

Has anyone on the forum had to migrate to a new user CA before with APM and how did you do it?

 

BR,

 

Ben.