Forum Discussion

Gregory_Gerard_'s avatar
Icon for Nimbostratus rankNimbostratus
Mar 06, 2012

Request arbitrary client certificate in iRule rather than by profile

I'm missing it if it's possible in the SSL:: stuff but here's what I'd like:



Server terminates SSL on 443




From the URL it can be known that a client certificate should be provided by the browser.




However, the CA to prompt for is a function of the URL and there are many (CA per customer).




In the end, I'm going to extract the interesting X509 items and pass them to the origin server for processing so I really just need the client to send the certificate.




Ideally, I'd have a map of URL-Feature->DN-of-CA-to-Request -- if I see the URL feature, trigger renegotiation and get the certificate, fail if not provided.




Sane or futile?


1 Reply

  • Hi Gregory,



    I'm not sure this is feasible as I think you need to tell the client which CA's certs you'll accept using the Advertised CA bundle option in the client SSL profile. I think if you don't send a CA for a client cert the client has, they won't get prompted for a cert and can't provide it. Have you tried testing this on a non-production virtual server or LTM unit?



    For reference, here's a description of the SSL handshake process:





    The serverHello message should contain "a list of...the Distinguished Names of acceptable Certification Authorities (CAs)":




    The SSL server responds with a "server hello" message that contains the CipherSuite chosen by the server from the list provided by the SSL client, the session ID and another random byte string. The SSL server also sends its digital certificate. If the server requires a digital certificate for client authentication, the server sends a "client certificate request" that includes a list of the types of certificates supported and the Distinguished Names of acceptable Certification Authorities (CAs).