Forum Discussion
Request client cert auth based on URL
- Apr 20, 2022
Try replacing [SSL::cert 0] with [X509::whole [SSL::cert 0]]
when using negation operation using NOT, you don't need to use else statment. Remove the else statment and it should work.
You can't control what client is sending client mTLS certificate, but you can verify if the incoming mTLS cert matches the subjectDN and is from the trusted issuer. You can modify the iRule to parse subjectDN of the cert and match it against the datagroup of known client cert. In the SSL profile, you can use chain of the trusted issuer.
- MarvinApr 15, 2022Cirrocumulus
So i guess there is no way to request for specific CA client certificate when doing the renegotiate as you said we have to parse the client cert manually to see if it comes from a specific CA but it would be far better to be able to request a specific client Cert when doing so. It makes the irule more complex, anyway do you have perhaps an example of irule that reads and verifies this?
Regarding else will remove and test next week.
- spalandeApr 20, 2022Nacreous
It's not technically possible to control the client on what certificate they can send. from BIGIP, you can use advertised cert authority setting in clientssl profile to tell client that which CA BIGIP will trust.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com