Forum Discussion

igorzhuk's avatar
Icon for Altostratus rankAltostratus
Apr 06, 2021

Client SSL cert Move Traffic To CDN -

hi all, i move the app to CDN before the CDN the BIGIP will check the client SSL cert and base on URI allow to access to the site,

(some of uri work without the client ssl, and some uris work only if the client ssl verify),

Now in CDN we can only request (and not required ) the client ssl but not enforce the PKI check - and insert it via HTTP header, 

How i can check if the Client SSL that CDN give me via header trust my CA?

( I don't want to look only for CN because attacker can make a fake client cert with the same CN )?

Does someone have any idea?

5 Replies

  • Is BIGIP still in the new traffic flow?

    client --> CDN --> BIGIP --> Origin server


    Is yes, I guess you would not cache the uri which needs mTLS (client certificate authentication) at CDN level and that would be forwarded to the BIGIP. If this is the case, you can still use client certificate authentication on BIGIP. Or did I understood it wrong?


    If BIGIP is not in the traffic flow for CDN and below is the traffic flow


    client --> CDN --> Origin Server


    Then you would need to see the option at CDN level to parse the client certificate and extract the values from it e.g. SubjectDN, Issuer, serial number and added in HTTP headers. These can be checked on the origin server for authorisation.

    • igorzhuk's avatar
      Icon for Altostratus rankAltostratus

      Current state is client --> BIGIP --> Origin Server

      today BIGIP make a client cert request and i allow base on uri who can access to some URLs without Cert and some of URLs i Validate Client certificate and allow only if the client cert valid


      The further state

      The Flow will be: client --> CDN --> BIGIP --> Origin server

      we will move the (client certificate authentication) at CDN

      but in the CDN we can't make (like irule check the Certificate Validation base URI)

      we can make a client certificate request and if the client give the certificate inseat the certificate via HTTP header to bigip


      (the CDN not make a PKI validation of the client certificate) in "Request" mode of the client certificate

      the CDN can validate the client cert only if I work in Required mode of client cert - but its not good for us because we allow some of uri that work without CERT


      now the question is if I BIGIP getting the CERT in HTTP header in base64

      how I can validate that is trunst certificate but not only via Subject - I need to validate this is the certificate that my CA is give to client

  • Serial number or thumbprint are also the unique values. Can CDN send those in http headers to BIGIP?

    • igorzhuk's avatar
      Icon for Altostratus rankAltostratus

      F5 can send all the client cert in base64 to me

      but how I can validate in the bigip?


      i will need to add all SN in the DATAGROUP ? if I generate customer certificate (like attacker) the SN cant be same?

  • Yes. You would need to build the data group of all valid client certificates.when BIGIP receives the ​details of the certificate it would match against the known records and take action if either allow or reject. This needs to be done using an iRule.

    Serial number is unique per certificate so if someone try to spoof the certificate also SubjectDN (common name) can be the same but Serial Number won't match.

    Following are the unique values of the certificate.

    • SubjectDN and Issuer CA (combination)
    • Serial Number
    • Thumbprint