Forum Discussion
Al_17441
Nimbostratus
NimbostratusHave IE display only certificates from a list of Cert issuers
I'm currently trying to have the browser only display certs that have a certain issuer. Because we are dealing with Govt. SmartCard technology, it holds multiple certificates and displays them all and we want to limit the confusion by only showing IDENTITY certificates. My current irule handles authentication and certificate validation.
Any info on how to get going in the right direction would be great!
Thanks in advance,
Al
when CLIENTSSL_HANDSHAKE
{
set cur [SSL::sessionid]
set ask [session lookup ssl $cur]
if { $ask eq "" } {
}
}
when HTTP_REQUEST
{
HTTP::header replace HTTPS on
set id [SSL::sessionid ]
set the_cert [session lookup ssl $id]
if { $the_cert != "" }
{
change timeout to 60 min
IP::idle_timeout 3600
set CertExpBefore [X509::not_valid_before $the_cert]
set CertExpAfter [X509::not_valid_after $the_cert]
set current_day [clock format [clock seconds] -format {%b %d %T %Y %Z} -gmt {1} ]
set ConvertedBefore [clock scan $CertExpBefore]
set ConvertedAfter [clock scan $CertExpAfter]
set ConvertedCurrent [clock scan $current_day]
log "Before $CertExpBefore"
log "After $CertExpAfter"
log "Current $current_day"
log "Before 2 $ConvertedBefore"
log "After 2 $ConvertedAfter"
log "Current 2 $ConvertedCurrent"
if { $ConvertedCurrent > $ConvertedBefore and $ConvertedCurrent < $ConvertedAfter }
{
log "In Subject getting."
set sub [X509::subject $the_cert]
set subA [getfield $sub "," 1]
set subB [getfield $sub "," 2]
set subC [getfield $sub "," 3]
set subD [getfield $sub "," 4]
set subE [getfield $sub "," 5]
set subF [getfield $sub "," 6]
set seperator ", "
set pkiSubject $subF$seperator$subE$seperator$subD$seperator$subC$seperator$subB$seperator$subA
set iss [X509::issuer $the_cert]
set issA [getfield $iss "," 1]
set issB [getfield $iss "," 2]
set issC [getfield $iss "," 3]
set issD [getfield $iss "," 4]
set issE [getfield $iss "," 5]
set pkiIssuer $issE$seperator$issD$seperator$issC$seperator$issB$seperator$issA
$pkiSubject is the first line on PKIInfo
log "$pkiSubject"
$pkiIssuer is the third line on PKIInfo
log "$pkiIssuer"
HTTP::header insert SSL-Client-Cert [ join [string trim [string map { "-----BEGIN CERTIFICATE-----" "" "-----END CERTIFICATE-----" ""} [X509::whole $the_cert ] ] ] "" ]
HTTP::header insert CN $pkiSubject
HTTP::header insert SSLIssuer $pkiIssuer
HTTP::header insert SSLClientCertSN [string map {: -} [X509::serial_number $the_cert]]
} else {
HTTP::respond 200 content "Access Denied: Your Certificate has ExpiredAccess to this resource is denied without a valid
DoD Common Access Card or DoD approved 3rd Party PKI Certificate. If you do not have one,
please visit the website for information on obtaining a CAC
card. Otherwise, please insert your CAC card into your
reader, close this window, and try accessing this website again to restablish your session.
"
}
} else {
HTTP::respond 200 content "Access Denied or Your Session Has Timed OutAccess to this resource is denied without a valid
DoD Common Access Card or DoD approved 3rd Party PKI Certificate. If you do not have one,
please visit the website for information on obtaining a CAC
card. Otherwise, please insert your CAC card into your
reader, close this window, and try accessing this website again to reestablish your session.
"
}
}- Kevin_Stewart
Employee
I deal with DoD smart cards as well, and if we're talking about the same system, the cards have an identity certificate and two email certificates (signature and encryption). To implement what you're talking about, we modified the client certificate bundle in the SSL client profile to ONLY include the SUBORDINATE CA certificates of the identity certs and removed the DoD roots (also no email Sub-CA's). The DoD roots act as a "catch all", so removing it removes the display of anything not specifically listed in the bundle. If you want to get fancy, you can also restrict to only hardware tokens (smart cards not soft certs) by filtering on the certificate policy OID, which is different between the two, and also different between DoD ECA (external certificate authority) soft and hard tokens (Verisign, DST, ORC).
I hope this helps.
Kevin 
Al_17441Thanks for all the info. It worked fine.
