Forum Discussion
rc_mike_110258
Nimbostratus
NimbostratusLog client certificate to a file
Hello group,
I have configured the following iRule for insert the client certificate in a header named x-client-cert for an https virtual server.
I'm looking for a way to log the client certificate send by the user to a log file in the f5 in PEM format.
At the same time, is there any way to log an alarm when the client send a invalid client certificate (that is, expired cert, revoked cert...)? I’m looking in the f5 logs and can't find any trace when a client tries to access whit an invalid client certificate.
=============
when CLIENTSSL_CLIENTCERT
{
set cur [SSL::sessionid]
set ask [session lookup ssl $cur]
if { $ask eq "" } {
session add ssl [SSL::sessionid] [SSL::cert 0]
}
}
when HTTP_REQUEST
{
set id [SSL::sessionid]
set the_cert [session lookup ssl $id]
if { $the_cert != ""}
{
HTTP::header insert x-client-cert [b64encode $the_cert]
}
}
=============
Thank you in advance,
Miguel Ángel.
- Miguel,
You probably want to take a look at the X509 commands. Click here With the not_valid_after date, you could easily look to see if a cert has expired, then do whatever you'd like with that connection.
Colin
