Forum Discussion

Nimbostratus

Aug 18, 2009

client certificate authentication for a particular directory

Hi I need to use client certificate authentication for a particular directory, for example: on https://demo.com (no authentication needed) https://d...

config

design

hoolio

Cirrostratus

Aug 20, 2009

You'll need to set the client SSL profile to ignore client certs. In the iRule, after examining the requested URI and finding a request to a restricted URI, you'll want to renegotiate the SSL handshake with the client and dynamically set the client SSL filter to request a client cert. You can do this using:

HTTP::collect

SSL::session invalidate

SSL::authenticate always

SSL::authenticate depth 9

SSL::cert mode request

SSL::renegotiate

Make sure to include 'SSL::session invalidate' to force browsers to renegotiate a new SSL session ID. Not all versions of IE will do this otherwise.

Aaron

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

client certificate authentication for a particular directory

F5 Academy at AppWorld 2026

Aswin MK - November 2025 Featured Member

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

CVE mitigation on F5 XC vs classic F5 WAF

Could not communicate with the system. Try to reload page.

F5 XC 503 upstream_reset_before_response_started{protocol_error}

UCS Encryption Question

BIG-IP VE: 40G Throughput from 4x10G physical NICs

Related Content

Automating Certificate Management on F5 BIG-IP

APM Clientless certificate authentication

BIG-IQ Client Certificate (PKI) Authentication

Automating ACMEv2 Certificate Management on BIG-IP

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS