Forum Discussion
John_Deckers
Nimbostratus
NimbostratusIs SSL::cert populated when using APM "On-Demand Cert Auth"?
Hi!
I have configured client cert authentication using APM and its On-Demand Cert Auth action. I would like to retrieve the client certificate in an iRule event (HTTP_REQUEST) using SSL::cert comma...
Jared_ShieldsNimbostratus
NimbostratusHey !
I had the same issue with the thumbprint not matching... I was able to get it to work, but im not proud about the method though (and I havent looked into _why_ this works). I planned to come back to this to delve deeper to understand why this works, but in the meantime, here's what worked for me:
set cert_pem [ACCESS::session data get "session.ssl.cert.whole"]
set cert [b64decode [b64encode [X509::pem2der $cert_pem]]]
set cert_thumbprint_binary [sha1 $cert]
binary scan $cert_thumbprint_binary H* cert_thumbprint_hexI have absolutely NO idea why converting the DER certificate to B64 and back again causes the correct thumbprint/sha1 to be generated.... But nevertheless, after doing the encode/decode, I'm now getting the same hex thumbprint that windows and other libraries generate.
With respect to the variable getting chopped off, I'm pretty new to BIG-IP so I can't speculate much on that... Sorry!