SSL Client Certificate question?

Question

I have searched ask f5 and here to find out if it ispossible to forward a client certificate to the backnd while still terminating SSL at the LTM box. Basicaly we have a soap application that is authenticating soap traffic on the backend via client certificates. We need to ecrypt and decrypt on the ltm to direct traffic to the appropriate backend, but we need to then pass the client certificate to the backend. I could not find anything in the clientssl or serverssl settings that specified this or anything in the documentation.

deb_allen_18 · Answer

&nbsp;There is no mechanism by which to directly forward the client's certificate via the standard authentication process, since using the client's cert to establish the session would require the LTM to use the client's private key as well. (A man-in-the-middle attack, basically)&nbsp;
&nbsp;You can instead use the session table to store the certificate &amp; send it to the server via headers, assuming your app can pick it up from there.  Here's an example from the iRules codeshare:
&nbsp;http://devcentral.f5.com/wiki/default.aspx/iRules/InsertCertInServerHeaders.html&nbsp;Click here&nbsp;&nbsp;
&nbsp;HTH
&nbsp;/deb&nbsp;&nbsp;

Forum Discussion

SSL Client Certificate question?

Recent Discussions

Unable to install firmware OS and drop at 10%

Statistics ›› Analytics : HTTP : Overview

How to Renew F5 Device Certificate

F5 ASM CEF Sending Logs in Specific TimeZone

Inquiry About the "ast-api-discovery" Repository

Related Content

Thumbprint of the client ssl certificate

BIG-IQ Client Certificate (PKI) Authentication

Slack Mutual TLS Recipe: Adding X-Client-Certificate-SAN header from client certificate

Help F5 Transform the BIG-IP Administrator Certification

Re: Management Certificate

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS