Forum Discussion

William_Them_99's avatar
William_Them_99
Icon for Nimbostratus rankNimbostratus
Jul 20, 2005

Client Certificates at the Backend?

We have successfully configured the BIGIP device to require client certificates - it accepts the certs and passes the traffic through. Now, we need to be able to read and manipulate the client cert a...
application delivery
dev
devops
iRules
tamins_90207's avatar
tamins_90207
Historic F5 Account
Jul 19, 2007
Greetings,

 

I need a rule to extract cert SN, issuer, and expiration date. when I enable this irule.

 

it's not only that nothing shows up in the header, but also I get page cannot be displayed after the client cert is presented.

 

 

 

when CLIENTSSL_CLIENTCERT {

 

set cert [SSL::cert 0]

 

set sn [X509::serial_number $cert]

 

set issuer [X509::issuer $cert]

 

set not_valid_before [X509::not_valid_before $cert]

 

}

 

when HTTP_REQUEST {

 

if { [matchclass [HTTP::uri] equals $::certURIs] } {

 

if { [SSL::cert count] < 1 } {

 

SSL::authenticate once

 

SSL::authenticate depth 9

 

SSL::cert mode request

 

SSL::renegotiate

 

} else {

 

HTTP::header insert ClientSSL_Serial_F5 $sn

 

HTTP::header insert ClientSSL_Issuer_F5 $issuer

 

HTTP::header insert ClientSSL_not_valid_before_F5 $not_valid_before

 

}

 

}

 

}

 

 

I have tried variations of the rule above, but with no luck.

 

any pointers would be greatly appreciated.

 

 

TIA

 

 

tsun