Forum Discussion
iRule to access F5 certificate store
I am looking to create an iRule to inject a client certificate that is not provided in the client session. I can upload the client certificate to the F5, but I am looking at how I would call that from inside of the iRule. Any ideas?
As it turns out, I really misinterpreted what I needed for this. This function is provided through the Server SSL profile where it will do the F5 to Server authentication. I'm still pretty new to this type of functionality with LTM, so thanks to everyone for giving me quick responses.
- Vijay_ECirrus
Inject the client certificate and pass it to server (pool member) ?
See if this may provide information to craft your iRule: https://devcentral.f5.com/questions/irule-for-certificate-injection-into-the-http-header
- Kevin_StewartEmployee
This probably deserves some clarification on what you're trying to accomplish, but generally speaking there is NO method to install a certificate into the F5 keystore from an iRule. These two things function on different planes. Now, it would technically be possible to do something that bridged the management and data planes, but this would be beyond dangerous.
- Kevin_StewartEmployee
Are you trying to insert the client certificate into the server side SSL handshake?
- Kevin_StewartEmployee
Strictly speaking, the client certificate is presented to the server during the SSL handshake and after the server requests it. More important, after the client sends its certificate, it sends a separate message that is digitally signed with its private key. In other words, once you've decrypted the traffic on the client side you cannot send the client's certificate to the backend server in an SSL handshake because you wouldn't have access to the client's private key.
So what we need to define now is how you need the client certificate. If your application can accept it in an HTTP header that's the absolute easiest option.
- JCipolla_256443Nimbostratus
As it turns out, I really misinterpreted what I needed for this. This function is provided through the Server SSL profile where it will do the F5 to Server authentication. I'm still pretty new to this type of functionality with LTM, so thanks to everyone for giving me quick responses.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com