Forum Discussion

Marvin's avatar
Marvin
Icon for Cirrocumulus rankCirrocumulus
Jun 11, 2024

Retrieve UPN from client certificate SAN RFC 822 Name:

Dear all,

 

I would like to retrieve the UPN from the SAN of the client certificate which has the field RFC 822 Name:user@domain.com.

The APM collect the information inside the session.ssl.cert.x509extension variable as email:user@domain.com 

In this link it is explained however here they use SAN field type of otherName:UPN

https://my.f5.com/manage/s/article/K17063

How should we modify the mcget command to get this value in session.logon.last.upn?

4 Replies

  • Can you share your example certificate's exact "session.ssl.cert.x509extension" value formatted this way? It shouldn't be too tough to adapt that VPE rule to handle either othername:upn or rfc822 style format.

    • Marvin's avatar
      Marvin
      Icon for Cirrocumulus rankCirrocumulus

      Hi Lucas, thanks for responding the variable contains the following (i masked sensitive data to test domains only) X509v3 extensions: X509v3 Subject Key Identifier: 76:09:B8:BA:1A:E9:09:86:78:22:9C:53:1B:D4:AF:E9:81:55:57:01 X509v3 Authority Key Identifier: keyid:DD:0C:FD:A1:21:AF:E3:AC:F3:6E:93:04:AB:D5:07:8B:B9:24:08:08 X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.27171.175.10.1.30 CPS: http://info.pki.test.eu/cps Policy: 0.4.0.2042.1.2 X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin X509v3 Key Usage: critical Digital Signature, Non Repudiation X509v3 Subject Alternative Name: email:john.bar@ext.Test.eu X509v3 CRL Distribution Points: Full Name: URI:http://info.pki.test.eu/crl/Test-EU-Users-CA.crl Full Name: URI:ldap://ldap.test.com.eu/CN=Test%20EU%20Users%20CA,O=Test,C=BE?certificateRevocationList?base?objectClass=pkiCA Authority Information Access: CA Issuers - URI:http://info.pki.test.com/cacerts/Test-EU-Users-CA.p7b CA Issuers - URI:ldap://test.domain.comCN=CU%20Users%20CA,O=Tlium,C=BE?cACertificate?base?objectClass=pkiCA OCSP - URI:http://otest.pki.test.com

      • Marvin's avatar
        Marvin
        Icon for Cirrocumulus rankCirrocumulus

        so we should find Subject Alternative Name: email:john.bar@ext.Test.eu with mcget command inside the VPE policy, I woild rather prefer this instead of using Irules

    • Marvin's avatar
      Marvin
      Icon for Cirrocumulus rankCirrocumulus

      Hi Lucas would you already have some kind of feedback on this?