Send data of certificate over an head http with an iRule

Question

Please i want to know how can i send the data of certificate over an http headre with an iRule.&nbsp;

kevin_stewart · Answer

The easiest would probably be something like this:
HTTP::header replace CLIENTCERT [X509::subject [SSL::cert 0]]

This would send the certificate subject in the CLIENTCERT header. If you wanted to send the entire certificate, you'd want to base64/URI-encode it first for transit:
HTTP::header replace CLIENTCERT [URI::encode [b64encode [X509::whole [SSL::cert 0]]]]

You can also send the raw DER-encoded certificate, but you definitely need to base64/URI-encode it first:
HTTP::header replace CLIENTCERT [URI::encode [b64encode [SSL::cert 0]]]

I'm not sure when, but I believe prior to some version of 11, the SSL::cert value didn't persist across TCP sessions. If you notice that the header is blank, that'll be why. You'll alternatively need to store the SSL cert data in the session table and call it up on each HTTP request.

jlekt_135663 · Answer

the version that i use is BIP IP 10.2.4.
i'm new in this language (TCL).
i'm going to try and tell the result after that.
in fact i want to authenticate to an application, for that big ip should send the certificate to apache, and apache send the attribute to tomcat using AJP.&nbsp;

kevin_stewart · Answer

I'm not 100% sure when the functionality changed, but please start with this:
when HTTP_REQUEST {
    HTTP::header replace CLIENTCERT [X509::subject [SSL::cert 0]]
}

This will send the certificate subject name in the CLIENTCERT header (an arbitrary name) to the server on each HTTP request. Make sure that the client SSL profile specifies request or require client certificate authentication, and that the Trusted Certificate Authorities option contains a certifying authority certificate (or bundle of CA certificates) that can validate the client's certificate.
Your Apache server should then be configured to look for this HTTP header in requests. Also notice that I used the HTTP::header replace command instead of HTTP::header insert. If you're going to be using the client certificate for authentication through an HTTP header, you want to make sure that the client cannot inject its own value. The replace function will overwrite anything that the client may send in the request.

Forum Discussion

Send data of certificate over an head http with an iRule

3 Replies

Bram - January 2026 Featured Member

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Can one create one virtual server with two pool members with multiple services running on it?

Maintenance page / local website that includes subfolders

AWS F5_OWASP Managed Rule Blocking requests

AST Configuration help

Configuration Assistance: Configure Email Alerts for HA Failover Events and Device Offline

Related Content

Automating Certificate Management on F5 BIG-IP

Certificate Automation for BIG-IP using CyberArk Certificate Manager, Self-Hosted

Automating ACMEv2 Certificate Management on BIG-IP

Automate Let's Encrypt Certificates on BIG-IP

Re: Management Certificate

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS