Forum Discussion

steven_normole's avatar
Oct 10, 2024

iRule for X509 Subject

I have an iRule that is working and inserts a certificate DN into a header

 

In the header the cert DN is inserted as:

x-ssl-client-dn:  C=<country >, O=<Org>, OU=<OU>, CN=<User name>

 

the application owner wants changed to the following:

x-ssl-client-dn: CN=<Usern Name>  ,  OU=<OU>  , O=<Org>  ,  C= <Country)

 

How can this be reversed

 

  • thsi is the full iRule

     

     

    #This will insert multiple headers into the packet to the backend servers.
    when CLIENTSSL_CLIENTCERT {
        # See if the no certificate was presented after SSL profile request
        if {[SSL::cert 0] eq ""}{
            # Log a failure to receive a certificate
            log local0. "([IP::client_addr]:[TCP::client_port]-[IP::local_addr]:[TCP::local_port]) failed to provide a certificate, connection rejected"
            # Reset the connection because of no certificate
            reject
        }
        # Log receipt of a client certificate
        #May Be Remarked In Production
        #log local0. "A Cert was submitted from IP Address: [IP::client_addr]"
    }

    when HTTP_REQUEST {
        # Set a local variable with certificate
        set cert [SSL::cert 0]
        set Cert_CN [X509::subject [SSL::cert 0] commonName]
        log local0. "This is from User_CN   $Cert_CN"
        #HTTP::header insert "X-SSL-Client-CN" "$Cert_CN"
        #HTTP::header insert  X-SSL-Client-S-DN   [X509::subject $cert]
        #HTTP::header insert  X-SSL-Client-NotBefore [X509::not_valid_before $cert]
        #HTTP::header insert  X-SSL-Client-NotAfter  [X509::not_valid_after $cert]
        #HTTP::header insert  X-SSL-Issuer  [X509::issuer $cert]
        #HTTP::header insert  X-SSL-CERT  [X509::whole $cert]
        #HTTP::header insert  X-SSL-SERIAL [X509::serial_number $cert]
        #HTTP::header insert  X-SSL-VERSION [X509::version $cert]
        #HTTP::header insert  X-SSL-EXTENSIONS [X509::extensions $cert]
    }