Forum Discussion

Marvin's avatar
Marvin
Icon for Cirrocumulus rankCirrocumulus
Apr 12, 2022

Request client cert auth based on URL

I am trying to request client cert authentication based on select URL and it works with a whitelist only but when i use the negate in the datagroup with a datagroup including URI string values it doe...
application delivery
cert auth
irule
  • spalande's avatar
    spalande
    Apr 20, 2022

    Try  replacing [SSL::cert 0] with [X509::whole [SSL::cert 0]]

Marvin's avatar
Marvin
Icon for Cirrocumulus rankCirrocumulus

So i guess there is no way to request for specific CA client certificate when doing the renegotiate as you said we have to parse the client cert manually to see if it comes from a specific CA but it would be far better to be able to request a specific client Cert when doing so. It makes the irule more complex, anyway do you have perhaps an example of irule that reads and verifies this?

Regarding else will remove and test next week.

spalande's avatar
spalande
Icon for Nacreous rankNacreous
Apr 20, 2022

It's not technically possible to control the client on what certificate they can send. from BIGIP, you can use advertised cert authority setting in clientssl profile to tell client that which CA BIGIP will trust.