f5 client certificate forwarding

Question

i have website secure over F5 , it require client certificate which i need to forward it to the server. i don't f5 to validate the certifcate . just i need to pass it to sever..

i have add in ssl profile the client certificate as " require" , and i have add the root CA as Advertised Certificate Authorities because the client will use self sighn certificate .. in irule i did the below:

CLIENTSSL_CLIENTCERT { if { [SSL::cert count] > 0 } { set client_cert [X509::whole [SSL::cert 0]] set session_cert $client_cert } } when HTTP_REQUEST { if {[info exists session_cert]} { HTTP::header replace "X-Client-Cert" $session_cert }

now when i try to access the portal, certifcate popup is displayed and after choose the certifcate i got " the site can't provide a secure connection, err_ssl_protocol_error .. and in f5 i see the client certifcicate is attach to the header.

so what might be the issue?

joselabra · Answer

Hi
if you configure into the profile client ssl this option

the profile ignore the validation and process the iRule

kevin_stewart · Answer

The short answer is that you cannot do this. You can't terminate TLS at the BIG-IP and still send the original client cert to the backend server. Basically, during the TLS handshake the client digitally signs a portion of the handshake data with its private key. As the middle box (BIG-IP) does not have access to the client's private key, it could not simply relay the origin client cert to the backend if it's also terminating TLS on the client side. There are generally two options here:

Don't decrypt -- don't add client and server SSL profiles (or any L7, HTTP profiles) to the VIP, effectively allowing TLS (L6) to pass through.
Use Client Certificate Constrained Delegation - this function in LTM allows the BIG-IP to terminate client side TLS and "forge" an ephemeral client certificate to the backend. In the simplest mode, it'll copy all of the attributes of the origin cert to the forged client cert. In more flexible scenarios, you can use an iRule to inject arbitrary attributes into the forged client cert.

SSL Orchestrator Advanced Use Cases: Client Certificate Constrained Delegation (C3D) Support | DevCentral

&nbsp;

Forum Discussion

f5 client certificate forwarding

2 Replies

AppWorld Berlin iRules Contest!

F5 AppWorld 2026 Las Vegas - iRules Contest Winners!

Recent Discussions

Changes to DO and AS3 GitHub - no longer monitored

SSL Forward Proxy, iRules and Client Hello

monitor/healthcheck issue with envoy gateway

Recommendation for Adv. Lab

How to Verify config before loading to F5

Related Content

Automating Certificate Management on F5 BIG-IP

Certificate Automation for BIG-IP using CyberArk Certificate Manager, Self-Hosted

Automating ACMEv2 Certificate Management on BIG-IP

BIG-IQ Client Certificate (PKI) Authentication

SSL Client Certification Alert 46 Unknown CA

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS