Forum Discussion
VladTC_372671
Nimbostratus
NimbostratusCheck SSL certificate before forwarding to backend
Hello,
I have an application that verifies a client certificate from the request. This application is hosted into IIS server. The client makes the request throw a BigIp F5 proxy. I have made an SSL profile for the client certificate (that contains the cert and key) and now the certificate is forwarded into the IIS server with the request and this is a good thing. The problem is that the certificate from the Client profile is forwarded always, even if no certificate is present in the request or another certificate is attached to request. How can I make a rule or something to forward the certificate from the client profile only if the right certificate is present to the request
Thank you!
- Kevin_Stewart
Employee
So what you're doing right now is forwarding a statically-defined client certificate to the IIS server from the server SSL profile. You're not, and cannot, send the real client certificate (the one sent by the client) to the server. If this is you're intention, then the easiest solution is to simply switch the server SSL profile based on some attribute of the client side connection. Attach a server SSL profile to the VIP that does not send a client cert, then attach something like this to the VIP:
when CLIENTSSL_CLIENTCERT { triggered when a client certificate is received SSL::profile [your cert-injecting server SSL profile] }If, however, it's your intention to send a different client certificate to the server for each request, then you're best option is to use a 13.1 feature called "Client Certificate Constrained Delegation", which effectively forges a client certificate to internal servers.
