Client side SSL with client certificate handled elsewhere

Question

Hi All,&nbsp;
&nbsp;We have a requirement to receive a request over SSL. The request will contain a client certificate. In our solution we will terminate the SSL request at BigIP as normal but we need the client certificate passed to the web server as the web server will be performing the authentication against the CA (long story).&nbsp;
&nbsp;In terms of configuration, can I terminate SSL using a normal client side SSL profile and ignore the certificate? Will it then be passed to the web server over http or will BigIP want to deal with it and I'll have to write an iRule to forward the certificate on?&nbsp;
&nbsp;Many thanks&nbsp;
&nbsp;Phill

hooleylist · Answer

Hi Phill, 
&nbsp;  
&nbsp; TMM can't use the client's cert in an HTTP (or even in an HTTPS) request to the server.  HTTP doesn't support client certs.  And TMM doesn't have the client's private key to do this via SSL. 
&nbsp;  
&nbsp; You can insert the entire cert base64 encoded or specific cert attributes in a custom HTTP header though.  Here's one example: 
&nbsp;  
&nbsp; http://devcentral.f5.com/wiki/default.aspx/iRules/InsertCertInServerHeaders.html 
&nbsp;  
&nbsp; Aaron

Forum Discussion

Client side SSL with client certificate handled elsewhere

Recent Discussions

how to whitelist new source IP on F5 web UI access

F5 to read a combined CRL file

Upgrade F5 BIGIP

ISP Load Balancing, SNAT pool instead of Automap link self-ip, anyway to do health check ?

MAC address of deleted VS IP address still responsive

Related Content

AI Security : Prompt Injection and Insecure Output Handling.

Automating ACMEv2 Certificate Management on BIG-IP

Intermediate iRules: Handling Strings

Re: Management Certificate

Automate Let's Encrypt Certificates on BIG-IP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS