Forum Discussion

Andy_4962's avatar
Andy_4962
Icon for Nimbostratus rankNimbostratus
Feb 02, 2010

Client Certificate Request on demand

Hello group!     I can not seem to get a client cert request to appear to the end user a second time in a single session.     For authentication purposes, I want to allow the end...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Feb 02, 2010
Hi Andy,

 

 

You would want to check to see if a cert has been provided using SSL::cert count and possibly validate it against a trusted CA root cert configured in the client SSL profile using SSL::verify. You could then add the cert or cert details to the session table with the SSL session ID as a lookup key. On each HTTP request for "restricted" URIs you'd check whether the client has already provided a valid cert stored in the session table.

 

 

For more examples, you can search for the forums for 'client cert request'. This process is a bit simpler in v10.1.0 as LTM saves the SSL cert details for the duration of the SSL session. I think there is a new access control module with v10.1 that you could possibly use for this as well once the product coalesces:

 

 

BIG-IP APM:

 

https://support.f5.com/kb/en-us/products/big-ip_apm/releasenotes/product/relnote_apm_10_1_0.html

 

 

Aaron