Client Certs and SSL offload on LTM

Hi Becky,

 

 

You can have LTM request a client cert for all requests to a VIP, or selectively based on the requested URI. LTM can establish an SSL connection with the pool members. However, LTM cannot use the client's cert to establish a connection with the server as LTM doesn't have the client's SSL key. What many people do is insert details about the client cert or the entire cert in an HTTP header. The server would need to then parse the cert details and validate that instead of the actual SSL cert.

 

 

To require a client cert for all requests to a VIP, you can use a client SSL profile and set the client cert mode to require. You'll need to import the issuing CA's cert and configure it as the trusted and advertised CA cert.

 

 

To request a client cert for some requests, you can use a client SSL profile and set the client cert mode to ignore. You can then dynamically request a client cert based on the requested URI. There are three related examples in the Codeshare. None exactly request a client cert based on URI, add the cert or cert details to the session table and then look up the cert on resumed SSL sessions, so you would need to adapt these to your requirements.

 

 

Uses the session table to store the cert details, but doesn't selectively request a client cert based on URI

 

http://devcentral.f5.com/wiki/default.aspx/iRules/InsertCertInServerHeaders.html

 

 

Requests a client cert based on the requested URI, but doesn't use the session table to store the cert or cert details

 

http://devcentral.f5.com/wiki/default.aspx/iRules/RequestClientCertificateAndPassToApplication.html

 

 

Requests a client cert based on the requested URI and uses the session table, but has a lot of extra code which is used to check the client cert against an OCSP server.

 

http://devcentral.f5.com/wiki/default.aspx/iRules/client_cert_request_by_uri_with_ocsp_checking.html

 

 

Aaron