Forum Discussion
Check SSL certificate before forwarding to backend
So what you're doing right now is forwarding a statically-defined client certificate to the IIS server from the server SSL profile. You're not, and cannot, send the real client certificate (the one sent by the client) to the server. If this is you're intention, then the easiest solution is to simply switch the server SSL profile based on some attribute of the client side connection. Attach a server SSL profile to the VIP that does not send a client cert, then attach something like this to the VIP:
when CLIENTSSL_CLIENTCERT {
triggered when a client certificate is received
SSL::profile [your cert-injecting server SSL profile]
}
If, however, it's your intention to send a different client certificate to the server for each request, then you're best option is to use a 13.1 feature called "Client Certificate Constrained Delegation", which effectively forges a client certificate to internal servers.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com