Forum Discussion
ekanathdas_2662
May 07, 2012Nimbostratus
We need to create an iRule that can verify client's certificate by checking the Subject line contains "CN=ABCD".
Hi team,
I was looking out for an irule which can check client's certificate by checking the Subject line if it contains "CN=ABCD".
I had referred to the below site:
https://devcentral.f5.com/wiki/iRules.ClientCertificateCNChecking.ashx
But in this case its not for the same org.
Any help is appreciated.
Thanks,
Ekanath
- ekanathdas_2662NimbostratusShould the below work?
- hooleylistCirrostratusThat looks good. Make sure to check that there is a cert before trying to parse it as you'll get a runtime error and TCP reset if you don't and the client doesn't present a client cert in the handshake.
when CLIENTSSL_CLIENTCERT { if {[SSL::cert count] > 0}{ set cert [SSL::cert 0] set subject [string tolower [X509::subject $cert]] set clientIP [IP::client_addr] if { $subject contains "cn=abcd.com" } { pool abcd } { log local0. "cert CN valid" } else { log $clientIP log local0. "cert CN not valid" reject } } }
- ekanathdas_2662NimbostratusThanks Aaron, a lot.
- ekanathdas_2662NimbostratusUpon accessing the site with a valid cert, the client machine never makes to the site. Looks like the packets are dropped during the negotiation. Anything more I need to edit in the irule.
- ekanathdas_2662NimbostratusPlease ignore my previous posting on 06/07/2012 08:49 PM
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects