Pass Client certificate

Question

I would like to be able to pass a client certificate to the server untouched by the F5. I have multiple clients all using the same cert.

hoolio · Answer

Hi Steve, 
&nbsp;  
&nbsp; If you don't add a client or server SSL profile to the VS, LTM will not decrypt the traffic and the pool members will see the original client cert.  If you need to decrypt the clientside SSL, you cannot have LTM proxy the client's cert as it doesn't have the client's SSL private key.   
&nbsp;  
&nbsp; You could have LTM do one or more of the following: 
&nbsp;  
&nbsp; - check the client cert against a root CA cert you import and configure in the client SSL profile 
&nbsp; - validate the client cert against an OCSP server, CRL, etc using the Advanced Client Auth module 
&nbsp; - use its own client cert to establish a serverside SSL handshake with the pool members 
&nbsp;  
&nbsp; Aaron

steve_lattray_5 · Answer

Thank you this was very helpfull.

Forum Discussion

Pass Client certificate

2 Replies

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

How can I get started with iCall

Connection Rest f5

Kubernetes cert-manager + LetsEncrypt + F5

The GSLB pool is providing an incorrect IP to end users

Unable to ping from some self ip on Velos

Related Content

Request Client Certificate And Pass To Application

Automating Certificate Management on F5 BIG-IP

Automating ACMEv2 Certificate Management on BIG-IP

SSL Client Certification Alert 46 Unknown CA

BIG-IQ Client Certificate (PKI) Authentication

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS