Forum Discussion

William_Them_99's avatar
William_Them_99
Icon for Nimbostratus rankNimbostratus
Jul 20, 2005

Client Certificates at the Backend?

We have successfully configured the BIGIP device to require client certificates - it accepts the certs and passes the traffic through. Now, we need to be able to read and manipulate the client cert a...
application delivery
dev
devops
iRules
William_Them_99's avatar
William_Them_99
Icon for Nimbostratus rankNimbostratus
Jun 21, 2007
I don't have an example in Java, as I wrote our code in ASP.NET, but I can show you what we did.

 

 

First, I used the iRule code mentioned in this post to put the cert in the header. Then I grabbed that value from the header with the code below:

 

 

 
  
 If Trim(Request.ServerVariables("HTTP_SSLCLIENTCERT")) <> "" Then 
  
             CERTFROMHEADER.Value = Trim(Request.ServerVariables("HTTP_SSLCLIENTCERT")) 
  
 ... 
  
 End If

 

 

(Note that .NET prepends the "HTTP_" to all header variables)

 

 

As discussed in this post, the value in my CERTFROMHEADER variable is a base64 encoded string - otherwise known as PEM format for the certificate. The problem is that .NET only allows you to manipulate the cert in the DER format (at least with the version of the framework we are running). So, I had to use the Microsoft utility CERTUTIL.EXE to convert the PEM cert to a DER cert and then open it as a .NET object as shown below:

 

 

 
  
 'create a file name for the temporary storage of the certificate to disk and its converted form 
   temp_file_name = "cert_PEM_" & Replace(Replace(DateTime.Now.TimeOfDay.ToString.Replace(".", "_"), ":", ""), " ", "") & ".cer" 
  
  
   temp_output_file_name = "cert_DER_" & Replace(Replace(DateTime.Now.TimeOfDay.ToString.Replace(".", "_"), ":", ""), " ", "") & ".cer" 
  
  
   file_save_result = SaveTextToFile(Trim(Request.Form.Item("CERTFROMHEADER")), temp_file_name) 
  
  
   'create a new process that runs the Cert utility to convert the cert to DER format 
   CertConversion = System.Diagnostics.Process.Start(certConversionBatchPath, temp_file_name & " " & temp_output_file_name) 
  
  
   'wait until the process completes before continuing 
   CertConversion.WaitForExit(1000) 
  
  
   'close the process 
                         CertConversion.Close() 
                         CertConversion.Dispose() 
                         CertConversion = Nothing 
  
  
   'using the created .cer file, load it as a certificate object 
   cert = X509Certificates.X509Certificate.CreateFromCertFile(temp_output_file_name) 
  
  
   'delete the temporary .cer file and its converted form 
                         File.Delete(temp_file_name) 
                         File.Delete(temp_output_file_name)

 

 

------------------------------------------

 

 

 

Even in Java, you may be able to execute the Microsoft utility to get the proper certificate format. CERTUTIL.EXE is part of Windows 2003, but you can also just download the Windows Server 2003 Administration Tools Pack here:

 

 

http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&DisplayLang=en

 

 

You can do many things with CERTUTIL. To convert from PEM to DER, as you can see in the code, all I did was run the executable with an input file (in PEM format), and an output file name, and that worked. For other possible uses, see:

 

 

http://technet2.microsoft.com/windowsserver/en/library/a3d5dbb9-1bf6-42da-a13b-2b220b11b6fe1033.mspx?mfr=true

 

 

I hope this helps.

 

 

-Bill