Forum Discussion

JCipolla_256443's avatar
JCipolla_256443
Icon for Nimbostratus rankNimbostratus
Jun 08, 2016

iRule to access F5 certificate store

I am looking to create an iRule to inject a client certificate that is not provided in the client session. I can upload the client certificate to the F5, but I am looking at how I would call that from inside of the iRule. Any ideas?

 

  • As it turns out, I really misinterpreted what I needed for this. This function is provided through the Server SSL profile where it will do the F5 to Server authentication. I'm still pretty new to this type of functionality with LTM, so thanks to everyone for giving me quick responses.

     

  • This probably deserves some clarification on what you're trying to accomplish, but generally speaking there is NO method to install a certificate into the F5 keystore from an iRule. These two things function on different planes. Now, it would technically be possible to do something that bridged the management and data planes, but this would be beyond dangerous.

     

  • Are you trying to insert the client certificate into the server side SSL handshake?

     

  • Strictly speaking, the client certificate is presented to the server during the SSL handshake and after the server requests it. More important, after the client sends its certificate, it sends a separate message that is digitally signed with its private key. In other words, once you've decrypted the traffic on the client side you cannot send the client's certificate to the backend server in an SSL handshake because you wouldn't have access to the client's private key.

     

    So what we need to define now is how you need the client certificate. If your application can accept it in an HTTP header that's the absolute easiest option.

     

  • As it turns out, I really misinterpreted what I needed for this. This function is provided through the Server SSL profile where it will do the F5 to Server authentication. I'm still pretty new to this type of functionality with LTM, so thanks to everyone for giving me quick responses.