(How) can I get two client certificates in one APM session?

Question

I have a customer with iPads that need to authenticate to APM with a user certificate. This has been working fine, but there is also now need to read a field from a per-device certificate on each iPad and make use of this within the access policy. The two certificates are issued by different authorities.

Maybe I am wrong, but it seems impossible to change the client SSL profile by renegotiating SSL during the session, so as to let me check the user cert and then the device cert.

Does anyone know of a way?

TMOS V16.1

lucas_thompson · Answer

You should be able to simply use multi-domain SSO (it allows multiple hostnames to share the same APM session) with two DNS names and use two vips (each with a separate "advertised CAs" setting in the clientssl profile so hopefully the client doesn't get a popup to choose the cert), attached to the same access profile, and collect the second certificate once the session is established inside of a per-request policy.
Testing and setting this up would be somewhat complex.
&nbsp;

spalande · Answer

In APM flow you can add the action to get the device certificate as well. Please check below article and let us know how the testing goes.&nbsp;https://my.f5.com/manage/s/article/K13614&nbsp;

gym1 · Answer

Thanks for the suggestion. I guess I should have mentioned that I had considered the device certificate policy item as a possibility, but it is only supported on Windows and Mac, whereas the clients here are iPads. It requires knowledge of the certificate store name, which is hidden from me, and as that reference says, need the Edge client. I'm trying to avoid the use of Edge, because these devices are already using a VPN client from another vendor. We know from experience that the two conflict.So I have an unusual set of conditions.I'm now considering use of an external logon page hosted on another virtual on the F5 (as an iRule I hope), That would have a client SSL profile that captures the other client certificate, then parses it for the field I need, and somehow returns that to the original policy. Then somehow I hope to parse that response and use that field value.I say "somehow" because frankly the external logon page feature does not seem well documented. It's not at all clear what the policy expects to receive back from the external logon page, nor how the response can be used.

Forum Discussion

(How) can I get two client certificates in one APM session?

3 Replies

Recent Discussions

Protecting NGINX ngx_http_rewrite_module vulnerability CVE-2026-42945 with ASM

where to download older F5 OS versions

Errors with AS3 3.56.0 with F5 17.5.1.6

ssh: Common Criteria mode initialized

LTM Policy for HTTP Host rewrite

Related Content

F5 Architecture Track Sessions - AppWorld 2026

Automating Certificate Management on F5 BIG-IP

Certificate Automation for BIG-IP using CyberArk Certificate Manager, Self-Hosted

Automating ACMEv2 Certificate Management on BIG-IP

BIG-IQ Client Certificate (PKI) Authentication