Forum Discussion
hooleylist
Jan 12, 2010Cirrostratus
LTM can validate client certs against a root cert you configure in the client SSL profile. If you want to handle failures with something other than a TCP close/reset, you'll need to use an iRule.
If you have the advanced client auth module licensed, you can validate the client cert against a root CA cert and check the cert status using LDAP, OCSP, CRLDP server (or a few other types).
However, there is no way for LTM to proxy the actual client cert for the serverside SSL handshake as LTM doesn't have the client cert private key. You can have LTM insert the cert or cert details on the HTTP request headers sent to the servers. But the app would need to be changed to parse the cert or cert details from the HTTP headers.
There are a few related examples in the iRule codeshare:
http://devcentral.f5.com/Wiki/default.aspx/iRules.CodeShare
http://devcentral.f5.com/Wiki/default.aspx/iRules/ClientCertificateCNChecking.html
http://devcentral.f5.com/Wiki/default.aspx/iRules/InsertCertInServerHeaders.html
http://devcentral.f5.com/Wiki/default.aspx/iRules/RequestClientCertificateAndPassToApplication.html
http://devcentral.f5.com/Wiki/default.aspx/iRules/Validate_certificate_Common_Name_and_revocation.html
Aaron