F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

igorzhuk's avatar
igorzhuk
Icon for Altostratus rankAltostratus
Nov 08, 2018

SSL client Cert reuqest per URL

Hi I have LTM only how I can deploy client certificate request in specific URL if client go to the /example he doesn't need a certificate If he goes to /secure URL in the same VIP the client needs...
application delivery
iRules
LTM
youssef1's avatar
youssef1
Icon for Cumulonimbus rankCumulonimbus
Nov 08, 2018

Hi Igor,

first of you have to configure your client cert like that:

Client Authentication:

  • Client Certificate: request
  • Frequency: once
  • retain cert: yes
  • Trust cert: your ca that sign user cert
  • Advert cert: your ca that sign user cert

Then try this irule:

when HTTP_REQUEST {

set cert_provided 0

if {[SSL::cert count] > 0}{
    for {set i 0} {$i < [SSL::cert count]} {incr i}{
        log local0. "uid: $uid - cert number: $i"
        log local0. "Issuer Info: [X509::issuer [SSL::cert $i]]"
        log local0. "cert serial: [X509::serial_number [SSL::cert $i]]"

        set cert_provided 1

        if { [SSL::verify_result] != 0 } {
            log local0. "uid: $uid - Cert Error: [X509::verify_cert_error_string [SSL::verify_result]]"
            set cert_provided 0
        }
    }
} else {
    log local0. "uid: $uid - No client certificate provided"
    set cert_provided 0
}

 uri that need auth
if {!($cert_provided)} {
    switch -glob [string tolower [HTTP::uri]] {
        "/uri1" { reject }
        "/uri2" { reject }
        "/uri3" { reject }
        default {
             do nothing
        }
    }

}

}