Forum Discussion
Kevin_Stewart
Aug 08, 2013Employee
1. This depends on what you mean by validation. The client SSL profile is going to provide some preliminary validation (trust chain, expiration, etc.), but anything beyond that (OCSP, CRLDP) is going to require the Access Policy Manager (APM) module. You can, however, insert a static CRL into the client SSL profile for local revocation checking.
2. Take a look at the X509:: wiki page (https://devcentral.f5.com/wiki/iRules.X509.ashx). Once you've terminated SSL and received the client certificate, the X509 values of that certificate will be available via a set of X509:: commands. You can them simply insert those values into HTTP headers.
*Crude* example:
when HTTP_REQUEST {
if { [SSL::cert count] > 0 } {
HTTP::header insert CERTSUBJECT [X509::subject [SSL::cert 0]]
}
}