For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

LyonsG_85618's avatar
LyonsG_85618
Icon for Cirrostratus rankCirrostratus
Nov 16, 2012

Passing decoded certficates in HTTP header

Hi folks.     I have been requested to setup BIG-IP to request certificate authentication and then insert the WHOLE UNENCODED certificate into the HTTP header and pass it to a differnt virtua...
application delivery
dev
devops
iRules
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Nov 16, 2012
The syntax of the command should be: 


[X509::whole [SSL::cert 0]]

Without the X509 command, [SSL::cert 0] produces the binary representation of the certificate (in DER encoding). You don't want to send binary data in an HTTP header. The X509::whole command produces a PEM encoding of that certificate, which is base64 with additional header/footer data. It also has line breaks in it, so your best bet for getting it sent in a header is to either base64 encode it again, or simply base64 encode the [SSL::cert 0]:

[b64encode [SSL::cert 0]]

Then at the over VIP just decode to get to the binary certificate:

[b64decode [HTTP::header "X509Certificate"]]

** with appropriate error checking - invalid data will bomb the b64decde command.