iRule: passing client cert to node

In this case, the BIG-IP is terminating SSL connections but the backend web server needs the information from the certificate but doesn't want the BIG-IP to re-encrypt the traffic to the node.

We have successfully configured the BIGIP device to require client certificates - it accepts the certs and passes the traffic through. Now, we need to be able to read and manipulate the client cert at the backend IIS web server via ASP/ASP.NET code.

No problem. With iRules you have full access to the client certificate and it's fairly simple to base64 encode the entire client certificate in a HTTP header and pass it to the backend webserver. Here's what wthem finally came up with with some guidance from the DevCentral team.

  set cur [SSL::sessionid]
  set ask [session lookup ssl $cur] 
  if { $ask eq "" } { 
    session add ssl [SSL::sessionid] [SSL::cert 0]

  set id [SSL::sessionid]
  set the_cert [session lookup ssl $id]
  if { $the_cert != ""}
    HTTP::header replace SSLClientCert [b64encode $the_cert]

Search Google for Base64 and VB and you should find a implementation of the decoding method (or check the forum thread below...

Click here for the original thread.



[Listening to: Ants Marching - Dave Matthews Band - Central Park Concert (2 of 3) (05:51)]
Published Jul 27, 2005
Version 1.0

Was this article helpful?


  • There are some things you can do with the client side request on 4.x but I don't believe that you have access to the actual certificate to add as a new http header. You might check in the 4.x admin guide to find which iRule commands are available but I'm thinking there isn't a one to one mapping.



  • Sure thing, Head over to, login, click on Supported Products, select "BIG-IP 4.x" and select the "BIG-IP Reference Guide" and search for the iRules section.



    Here's the direct link to the iRules syntax section: