Multiple certificate authorities and authentication profiles

Hoolio, maybe you know this one since I know you've done work with extended cert revocation checking in the past: is it possible to read the issuer from a presented client cert and then use that value to change what OCSP profile you use in AUTH::start? Normally it's invoked with "[AUTH::start pam default_ssl_ocsp]", but if you know the specific name of the profile (say, my_ocsp_profile), can it be invoked with either "[AUTH::start pam tmm_my_ocsp_profile]" or "[AUTH::start pam my_ocsp_profile]"? The Wiki is a little weak in this area.

 

 

The reason I ask is that I think that's what Antoine is asking for: the ability to detect which issuer the presented client cert has, and switch between a few different revocation profiles (OCSP or CRLDP) based on that value. Might be able to be done in a modification to the authentication iRule if AUTH::start can be switched in that way.