Retrieve UPN from client certificate SAN RFC 822 Name:

Question

Dear all,&nbsp;I would like to retrieve the UPN from the SAN of the client certificate which has the field RFC 822 Name:user@domain.com.The APM collect the information inside the session.ssl.cert.x509extension variable as email:user@domain.com&nbsp;In this link it is explained however here they use SAN field type of&nbsp;otherName:UPNhttps://my.f5.com/manage/s/article/K17063How should we modify the mcget command to get this value in session.logon.last.upn?

marvin · Answer

Hi Lucas, thanks for responding the variable contains the following (i masked sensitive data to test domains only) X509v3 extensions: X509v3 Subject Key Identifier: 76:09:B8:BA:1A:E9:09:86:78:22:9C:53:1B:D4:AF:E9:81:55:57:01 X509v3 Authority Key Identifier: keyid:DD:0C:FD:A1:21:AF:E3:AC:F3:6E:93:04:AB:D5:07:8B:B9:24:08:08 X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.27171.175.10.1.30 CPS: http://info.pki.test.eu/cps Policy: 0.4.0.2042.1.2 X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin X509v3 Key Usage: critical Digital Signature, Non Repudiation X509v3 Subject Alternative Name: email:john.bar@ext.Test.eu X509v3 CRL Distribution Points: Full Name: URI:http://info.pki.test.eu/crl/Test-EU-Users-CA.crl Full Name: URI:ldap://ldap.test.com.eu/CN=Test%20EU%20Users%20CA,O=Test,C=BE?certificateRevocationList?base?objectClass=pkiCA Authority Information Access: CA Issuers - URI:http://info.pki.test.com/cacerts/Test-EU-Users-CA.p7b CA Issuers - URI:ldap://test.domain.comCN=CU%20Users%20CA,O=Tlium,C=BE?cACertificate?base?objectClass=pkiCA OCSP - URI:http://otest.pki.test.com

marvin · Answer

so we should find Subject Alternative Name: email:john.bar@ext.Test.eu with mcget command inside the VPE policy, I woild rather prefer this instead of using Irules

marvin · Answer

Hi Lucas would you already have some kind of feedback on this?

lucas_thompson · Answer

Can you share your example certificate's exact "session.ssl.cert.x509extension" value formatted this way? It shouldn't be too tough to adapt that VPE rule to handle either othername:upn or rfc822 style format.

lucas_thompson · Answer

When you review the session variables for this session, what exactly do the variables look like? I'd assume looking at the output that APM would already parse these values into session variables. To check that, log in with your user and look at their "Variables" using this part of the GUI:

&nbsp;

Forum Discussion

Retrieve UPN from client certificate SAN RFC 822 Name:

6 Replies

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

SSL Bridging and FQDN rewrite Policy

After upgrading from PeopleTools 8.59.11 to 8.61.11 F5 APM is not rewriting the internal URLs

Could not communicate with the system. Try to reload page.

F5 BIG IP laboratory license

F5 mssql health monitor failing

Related Content

Automating Certificate Management on F5 BIG-IP

Automating ACMEv2 Certificate Management on BIG-IP

SSL Client Certification Alert 46 Unknown CA

BIG-IQ Client Certificate (PKI) Authentication

Certificate Automation for BIG-IP using CyberArk Certificate Manager, Self-Hosted

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS