Forum Discussion
CirrocumulusRequest client cert auth based on URL
Try replacing [SSL::cert 0] with [X509::whole [SSL::cert 0]]
Nacreouswhen using negation operation using NOT, you don't need to use else statment. Remove the else statment and it should work.
You can't control what client is sending client mTLS certificate, but you can verify if the incoming mTLS cert matches the subjectDN and is from the trusted issuer. You can modify the iRule to parse subjectDN of the cert and match it against the datagroup of known client cert. In the SSL profile, you can use chain of the trusted issuer.
CirrocumulusSo i guess there is no way to request for specific CA client certificate when doing the renegotiate as you said we have to parse the client cert manually to see if it comes from a specific CA but it would be far better to be able to request a specific client Cert when doing so. It makes the irule more complex, anyway do you have perhaps an example of irule that reads and verifies this?
Regarding else will remove and test next week.
- spalande
It's not technically possible to control the client on what certificate they can send. from BIGIP, you can use advertised cert authority setting in clientssl profile to tell client that which CA BIGIP will trust.
