Forum Discussion
NimbostratusInsert missing UPN into certificate?
Hi, I'm trying to insert the UPN field in an smartcard authentication session and sent that smartcard info to the beackend servers. Today I've got smartcards that are missing the othername:UPN and the application requires the UPN field
the field in the certificate today have
X509v3 Subject Alternative Name: email:user@domain
Is there any way to use "SSL::extensions insert" or other function to get the result below?
X509v3 Subject Alternative Name: othername:UPN, email:user@domain
Thanks!
- Kevin_Stewart
Employee
SSL::extensions is designed to insert parameters into the server side SSL handshake, not to modify attributes of a certificate. In fact if you tried to manipulate the certificate, you'd break its corresponding digital signature.
On a side note, if you attach SSL profiles to a VIP, you cannot send the smart card certificate all the way to the server.
Jonas_Karlsson_Thank you. That is good to know that a certificate can't be modified without breaking the signatures.
But maybe there is another way? Let's say you use the smartcard without the preffered attributes just to start an APN session by mapping the login with another attribute on the certificate. Then query AD for the user account. Then somehow make a new temporary certificate (bake it within f5) to present to the server that now holds the preffered attributes. Maybe ,probably better to reissue the smartcards (thousands..)
- Kevin_Stewart
See Client Certificate Constrained Delegation. This 13.1 LTM feature allows you to forge client certificates to internal servers.
