Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Mike_Rausch_628's avatar
Mike_Rausch_628
Icon for Nimbostratus rankNimbostratus
16 years ago

SSL Certificates and PKI

Our application allows users to log in to the web server using PKI certificates and all SSL offloading is done on the server.     I was wondering if you could have a client connect to the B...
config
design
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
16 years ago
Hi Mike,

 

 

As Deb explained a while back, it isn't possible to have LTM use the client's cert to establish an SSL handshake with the pool members.

 

 

 

http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&postid=22280&ptarget=22289

 

 

There is no mechanism by which to directly forward the client's certificate via the standard authentication process, since using the client's cert to establish the session would require the LTM to use the client's private key as well. (A man-in-the-middle attack, basically)

 

 

You can instead use the session table to store the certificate & send it to the server via headers, assuming your app can pick it up from there. Here's an example from the iRules codeshare:

 

http://devcentral.f5.com/wiki/default.aspx/iRules/InsertCertInServerHeaders.html

 

 

HTH

 

/deb

 

 

 

 

Aaron