Forum Discussion

Nimbostratus

Jan 30, 2019

Reject connections with no extention keyusage in client certificate

Good morning everyone! One of our client is asking me to be able to block all connections where the client certificate does not contain the keyusage extention. I found this link which i...

Nacreous

Jan 30, 2019

As per the documentation in the Wiki you provided, the command

X509::extensions

returns

"(no extensions)"

if the certificate doesn't have any extensions.

Most of the information you need to put a very simple iRule together can be found in the example section of the Wiki. In it's simplest form you could use the following:

when CLIENTSSL_CLIENTCERT {
    if {[X509::extensions [SSL::cert 0]] eq "(no extensions)"} {
        reject
    }
}

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

Reject connections with no extention keyusage in client certificate

AppWorld 2026: Save the Date and Join Our Community In Person!

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

How APM GET IOS UUID & Andriod MAC

Expired client-certificate

F5 Big-IP Trust Internal CA Chain certificates for Web Servers

XC - geo LB to the origin servers

Floating Ip Problem

Related Content

Automating Certificate Management on F5 BIG-IP

Automating ACMEv2 Certificate Management on BIG-IP

The New F5 Certified BIG-IP Administrator Certification Exams Now Live

Automate Let's Encrypt Certificates on BIG-IP

Re: Management Certificate

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS