Collecting Certificate information for the client request

Ahh, it's all starting to make more sense. Are you by chance only testing with IE? In my lab I can only get the "The Certificate count is 0" message with IE. In any case, there are a few things to consider:

 

 

1. If you simply want to prevent users from selecting the wrong certificate, based on issuer, then create and apply an Advertised Certificate Authorities bundle file. This injects root hints into the client certificate request that most browsers will honor to filter the list of certificate options presented to the client. So in this case your advertised list would only contain the CA certs that you want to accept.

 

 

2. Do you have your client SSL profile Client Certificate option set to "require"? If so, this performs a very restrictive verification process. You won't be able to return anything to the user about mismatched certificates because your SSL negotiation will have failed. If you want to send something back to the user, then you have to set the mode to Request and then make provisions in your iRule to capture verification errors (validation, wrong certificate, etc.).