Forum Discussion
Hi Michael,
If you want to do Client Certificate Authentiation 'always' for a virtual server, you can modify the client-ssl profile you're using to achieve as much. The setting is called 'Client Certificate' and should be set to 'require'.
Make sure to also upload the chain for valid certificates and select it in the 'Trusted Certificate Authorities' and 'Advertised Certificate Authorities' picklists.
This way, you can simply use the following iRule to achieve your goal:
when HTTP_REQUEST {
HTTP::header insert "SSL_CLIENT_CERT" [X509::whole [SSL::cert 0]]
}
This differs from your iRule in that it doesn't use the iRule to renegotiate the connection to make sure the client sends a certificate. If, however, you want to only request/require a client certificate for specific URLs, you're going to need something down the lines of your iRule , or you're going to need the APM module with the 'OnDemand Certificate Auth' buildingblock.
Kind regards,
Thomas