HTTP header insert with CN and for SHA1 thumbprint of the SSL certificate ?

Question

Hi Any one help to edit the below irule to match my requirement, HTTP header insert with CN(Certificate name) and for SHA1 thumbprint of the SSL certificate to backend servers.&nbsp;LTM VIP is HTTPS with only client SSL profileMembers are connected to LB with port 3000, No Server Side SSL profile. &nbsp;&nbsp;&nbsp;when CLIENTSSL_HANDSHAKE&nbsp;&nbsp;{&nbsp;&nbsp;&nbsp;set cur [SSL::sessionid]&nbsp;&nbsp;&nbsp;set ask [session lookup ssl $cur]&nbsp;&nbsp;&nbsp;&nbsp;if { $ask eq "" } {&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;session add ssl [SSL::sessionid] [SSL::cert 0]&nbsp;&nbsp;&nbsp;}&nbsp;&nbsp;}&nbsp;&nbsp;&nbsp;&nbsp;when HTTP_REQUEST&nbsp;&nbsp;{&nbsp;&nbsp;&nbsp;set id [SSL::sessionid]&nbsp;&nbsp;&nbsp;set the_cert [session lookup ssl $id]&nbsp;&nbsp;&nbsp;if { $the_cert != ""}&nbsp;&nbsp;&nbsp;{&nbsp;&nbsp;&nbsp;&nbsp;HTTP::header insert X-Client-Cert [X509::whole $the_cert]&nbsp;&nbsp;&nbsp;}&nbsp;&nbsp;}&nbsp;&nbsp;

andy_mcgrath · Answer

Take it you want the client certificate data inserted as HTTP headers?The following does this generally, you will need to pick the parts you want from the iRule X509 options:when CLIENTSSL_CLIENTCERT priority 100 {
    if {[SSL::cert count] &gt; 0} {
        set clientCert [X509::whole [SSL::cert 0]]
        set clientCertSubject [X509::subject [SSL::cert 0]]
&nbsp;
        foreach field [ split $clientCertSubject ","] {
            if {$field starts_with "CN="} {
                set clientCommonName [getfield $field "=" 2]
            }
        }
    }
}
&nbsp;
when HTTP_REQUEST {
    if {(info exists clientCert) &amp;&amp; ($clientCert ne "") } {
        HTTP::header insert X-Client-Cert $clientCert
    }
&nbsp;
    if {(info exists clientCommonName) &amp;&amp; ($clientCommonName ne "") } {
        HTTP::header insert X-Client-CN $clientCommonName
    }
}

ironman · Answer

Thanks, I modified it please check once&nbsp;when CLIENTSSL_CLIENTCERT priority 100 {&nbsp;&nbsp;if {[SSL::cert count] &gt; 0} {&nbsp;&nbsp;&nbsp;&nbsp;set clientCert [X509::whole [SSL::cert 0]]&nbsp;&nbsp;&nbsp;&nbsp;set clientCertSubject [X509::subject [SSL::cert 0]]&nbsp;&nbsp;&nbsp;&nbsp;set cert_hash [X509::hash [SSL::cert 0]]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;foreach field [ split $clientCertSubject ","] {&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if {$field starts_with "CN="} {&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;set clientCommonName [getfield $field "=" 2]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}&nbsp;&nbsp;&nbsp;&nbsp;}&nbsp;&nbsp;}}&nbsp;when HTTP_REQUEST {&nbsp;&nbsp;if {(info exists clientCert) &amp;&amp; ($clientCert ne "") } {&nbsp;&nbsp;&nbsp;&nbsp;HTTP::header insert X-Client-Cert $clientCert&nbsp;&nbsp;}&nbsp;&nbsp;&nbsp;if {(info exists clientCommonName) &amp;&amp; ($clientCommonName ne "") } {&nbsp;&nbsp;&nbsp;&nbsp;HTTP::header insert X-Client-CN $clientCommonName&nbsp;&nbsp;}&nbsp;&nbsp;&nbsp;{&nbsp;&nbsp;&nbsp;&nbsp;HTTP::header insert X-Client-CN $clientCommonName&nbsp;&nbsp;}}

andy_mcgrath · Answer

when CLIENTSSL_CLIENTCERT priority 100 {
    if {[SSL::cert count] &gt; 0} {
        set clientCert [X509::whole [SSL::cert 0]]
        set clientCertSubject [X509::subject [SSL::cert 0]]
        set clientCertHash [X509::hash [SSL::cert 0]]
        foreach field [ split $clientCertSubject ","] {
            if {$field starts_with "CN="} {
                set clientCommonName [getfield $field "=" 2]
            }
        }
    }
}
&nbsp;
when HTTP_REQUEST {
    if {(info exists clientCert) &amp;&amp; ($clientCert ne "")} {
        HTTP::header insert X-Client-Cert $clientCert
    }
&nbsp;
    if {(info exists clientCommonName) &amp;&amp; ($clientCommonName ne "")} {
        HTTP::header insert X-Client-CN $clientCommonName
    }
&nbsp;
    if {(info exists clientCertHash) &amp;&amp; ($clientCertHash ne "")} {
        HTTP::header insert X-Client-hash $clientCertHash
    }
}

ironman · Answer

Thanks for your time, I will test it and let you know result

ironman · Answer

I am bothering you,&nbsp;&nbsp;I am getting in big error, when adding the rule to f5&nbsp;&nbsp;01070151:3: Rule [/Common/rulename] error: /Common/rulename:15: error: [parse error: PARSE syntax 466 {syntax error in expression "(info exists clientCert) &amp;&amp; ($clientCert ne "")": looking for close parenthesis}][{(info exists clientCert) &amp;&amp; ($clientCert ne "")}]/Common/rulename:19: error: [parse error: PARSE syntax 587 {syntax error in expression "(info exists clientCommonName) &amp;&amp; ($clientCommonName ne "")": looking for close parenthesis}][{(info exists clientCommonName) &amp;&amp; ($clientCommonName ne "")}]/Common/Qvantel-BSSAP-SIT:23: error: [parse error: PARSE syntax 724 {syntax error in expression "(info exists clientCertHash) &amp;&amp; ($clientCertHash ne "")": looking for close parenthesis}][{(info exists clientCertHash) &amp;&amp; ($clientCertHash ne "")}] &nbsp;&nbsp;

Forum Discussion

HTTP header insert with CN and for SHA1 thumbprint of the SSL certificate ?

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

OWA File Upload URIs for WAF Bypass

F5 AWAF/ASM learning only from Trusted traffic?

irule execution error

Curl 7.10.5 < 8.12.0 Integer Overflow (CVE-2025-0725)

Show or List F5 XC Routes in the Web

Related Content

Thumbprint of the client ssl certificate

Automating Certificate Management on F5 BIG-IP

Certificate Automation for BIG-IP using CyberArk Certificate Manager, Self-Hosted

Automating ACMEv2 Certificate Management on BIG-IP

Automate Let's Encrypt Certificates on BIG-IP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS