Pass HTTPS Certificate into HTTP header

If you've terminated the SSL at the BIG-IP you cannot send the original certificate to the back end servers as the digital signature has been erased. During the SSL handshake the server will ask for the client's certificate. The client will compute a hash of some data and encrypt that hash with their private key before sending the the signed hash (digital signature) and public key to the server. The server will compute a hash over the same data, decrypt the client's signed hash with their public key and then compare the two. If they're the same then the server knows the client is legitimate. At this point the digital signature is gone, so the server would have to have a copy of the client's private key to generate a new one.

 

 

There are several options then:

 

 

1. HTTP headers (or other transmittable forms) - once you've terminated the SSL the BIG-IP has full access to the X.509 data in the certificate. It would be trivial then to pass, as HTTP headers, any portion of the client's X.509 information to the server. Whatever process you have on the server side to validate the client certificate information would simply have to be altered to consume an HTTP header instead.

 

 

2. ProxySSL - if the above isn't an option, ProxySSL allows the BIG-IP to perform and SSL man-in-the-middle between the client and server. The client can transmit their signed data to the server, and the BIG-IP can transparently decrypt the data in transit to be able to use it in iRules. ProxySSL does have some limitations though. You cannot interrupt the client-server SSL negotiation, so any iRule or process that may alter the path or stop the flow during that negotiation will fail.

Proxy SSL also has some other caveats (like cipher support) you should consider. If you opt for this method, be sure to check out this page: http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.html