Forum Discussion
Client Certificate authentication
Doing client certificate request in the client SSL profile or doing it in APM with the On-Demand Cert Auth agent are going to provide the same result, with a few minor differences. In any case, you're setting request, which is a "soft fail", meaning that if a certificate error occurs, or if no certificate is presented at all, it'll fail open. This is what you need if some clients won't have a certificate, but it doesn't provide any built-in constraints. For that you'd need an iRule or APM code logic to read some attribute of the certificate and make a decision. If you used an agent in the VPE, you could look at attributes of the incoming client certificate with:
session.ssl.cert.*where * could be any number of attributes. Here's a quick list of some of those attributes: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-visual-policy-editor-11-6-0/5.html?sr=56810247
With this you could read the certificate subject, CN, issuer, validity dates, other attributes, and anything in the extensions field to make an access decision.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com