Validate Certificate Common Name and Revocation Status

Problem this snippet solves:

If you are using the same CA to isssue client certificates to provide secure access to multiple applications and you want to restrict which applications can be accessed with each certificate, this iRule enables you to restrict access by verifying that the certificate CN matches the FQDN for the application.

The iRule also allows you to revoke a certificate by using the SN for the revoked certificate.

Note: this example doesn't validate that the certificate is verified, so a self signed cert with the proper common name would pass this check. This iRule should be rewritten with verification using the SSL::verify_result command.

Code :

#get certificate data
when CLIENTSSL_CLIENTCERT {
  set cert [SSL::cert 0]
  set sn [X509::serial_number $cert]
  set subject [X509::subject $cert]
  set issuer [X509::issuer $cert]
  set version [X509::version $cert]
  set clientIP [IP::client_addr]
#check SN to see if certificate is revocked
if { $sn contains "62
  $sn contains "66
  log $clientIP  
  log local0. "cert SN revoked" 
  reject
}
#check Certificate common name to see if it contains the FQDN for Virtual server
if { $subject contains "CN=will.rlg" } {
# uncomment the line below to validate that the iRule is accepting a valid certificate
#  log local0. "cert CN valid"
} else {
#if the certificate is not valid log client IP and reject connection
  log $clientIP
  log local0. "cert CN not valid"
  reject
}
}
Published Mar 18, 2015
Version 1.0

Was this article helpful?

No CommentsBe the first to comment