C3D forged certificate
I have a service that requires client authentication "mutual TLS" between the app server and the client.
Since BIG-IP is in between, I configured my virtual server to use C3D (Client Certificate Constrained Delegation) following KB https://my.f5.com/manage/s/article/K14065425
However, the app server is unable to authenticate the client and getting "invalid thumbprint" in server logs.
I wonder what information used from the original client certificate in order for BIG-IP to generate the forged client certificate for use in server-side client certificate authentication?
and if there is anyway to pass the certificate thumbprint to app server? maybe utilizing "Custom Certificate Extensions" in server-ssl profile?
Here's another resource for C3D configuration: https://community.f5.com/t5/technical-articles/ssl-orchestrator-advanced-use-cases-client-certificate/ta-p/286005, It's specific to SSL Orchestrator integration, but goes into details on the C3D setup and various use cases.
Per your question, C3D forges a new client certificate, signed/issued from your local CA. During the forging process, C3D will copy important attributes over from the real certificate, including subject CN, any extensions you specify to be copied in the "Certificate Extensions" setting in the server SSL profile, plus any that you may inject via SSL::c3d iRules. It won't have the same issuer, fingerprint, thumbprint, etc. because it's effectively a new certificate from a different issuer. Your internal application needs to be able to validate client certificates from this new/local CA.