Gregory_Gerard_
Mar 06, 2012Nimbostratus
Request arbitrary client certificate in iRule rather than by profile
I'm missing it if it's possible in the SSL:: stuff but here's what I'd like:
Server terminates SSL on 443
From the URL it can be known that a client certificate should be provided by the browser.
However, the CA to prompt for is a function of the URL and there are many (CA per customer).
In the end, I'm going to extract the interesting X509 items and pass them to the origin server for processing so I really just need the client to send the certificate.
Ideally, I'd have a map of URL-Feature->DN-of-CA-to-Request -- if I see the URL feature, trigger renegotiation and get the certificate, fail if not provided.
Sane or futile?