Selective Client Certificate Validation

Question

Can you please give me a sample of an irule that validates a particular client certificate (client certificate set to require). Trusted CA certificate is Verisign, specific client cert has this common name, serial number and thumbprint.

kevin_stewart · Answer

Without more specifics, here's how you'd extract some of the X509 certificate data within an iRule:
when CLIENTSSL_CLIENTCERT {
    if { [SSL::cert count] &gt; 0 } {
        set commonname [X509::subject [SSL::cert 0]]
        set serial [X509::serial_number [SSL::cert 0]]

}
}

Again, not very specific, but you can see how to get the common name/subject and cert serial. From there you can perform whatever evaluations you need.
I also don't believe you can get at the thumbprint within the scope of X509 commands. It is possible through some binary parsing, but waiting to see if you absolutely need that.

what_lies_bene1 · Answer

What do you want to do with the other traffic?

Forum Discussion

Selective Client Certificate Validation

2 Replies

Bram - January 2026 Featured Member

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Questions on Migrating configs from iSeries to RSeries F5s

rSeries Configuration Backup

reading Client SSL Profile details via Ansible

Raise your hand if you'll be at AppWorld 2026

AWIC (test)

Related Content

Automating Certificate Management on F5 BIG-IP

Certificate Automation for BIG-IP using CyberArk Certificate Manager, Self-Hosted

Automating ACMEv2 Certificate Management on BIG-IP

POC: Validate JWT with iRule

Modernizing F5 BIG-IP Synchronized HA Pairs with Ansible Validated Content

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS