Constrained Certificate Delegation from HTTP Headers

Question

I have the following configuration setup and am trying to determine how to enable C3D to create a certificate based of provided HTTP headers.

Outside F5 (Terminates SSL and inserts headers from validated certificate) -> Middle F5 (AWAF) -> Inside F5 (Re-encrypt and use C3D to connect to the back-end service) -> Apache HTTPD

I have C3D enabled on the Inside F5 with a valid self-signed CA for testing.

The inserted headers from the Outside F5 are available on the inside Apache HTTP server.

How can I enable C3D on the Inside F5 to produce the new certificate with supplied headers?

rick_norwood · Answer

Some attempts I have used is to insert accepted X headers and SSL_CLIENT headers.   In both cases I have inserted the X_CLIENT_CERT and SSL_CLIENT_CERT along with associated, subjects, serials, version, etc.

Forum Discussion

Constrained Certificate Delegation from HTTP Headers

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

SSL Orchestrator Advanced Use Cases: Client Certificate Constrained Delegation (C3D) Support

Troubleshooting Kerberos Constrained Delegation: Strong Encryption Types Allowed for Kerberos

F5 Distributed Cloud - Automatic TLS Certificate Generation - Non-Delegated DNS Zone

Configuring Smart Card Authentication and Kerberos Constrained Delegation in F5 Access Policy Manager (APM)

Single-Sign-On mit Kerberos Constrained Delegation

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS