cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

BIG-IP Forward Client Cert To Node

AceHunter1965
Nimbostratus
Nimbostratus

Hey all,

 

At our company, we have a BIG-IP cluster bridging two networks, with servers / client on both sides (we also have the AWAF module which goes over HTTP requests).

 

Some of our websites require mutual TLS, but the thing is we have a lot of client certificates, and can't load all of them into BIG-IP.

Is there a way to forward the client certificate to the server? We need the certificates to be presented during the handshake and not sent as a header.

 

Thanks!

1 REPLY 1

SanjayP
MVP
MVP

F5 is a full proxy. If F5 is terminating SSL on the clientside, acting as TLS server and requesting for mTLS cert from the client, only way to send the cert to the backend node is parse the cert and send it in HTTP header.

 

If the backend node, needs to have clientcert directly from the client (without F5 sending it in a header), VIP needs to be configured as TLS pass-through (either performance layer 4 or standard VIP without http and ssl profiles)

 

OR you can try proxy-ssl feature

 

https://techdocs.f5.com/en-us/bigip-16-0-0/big-ip-system-ssl-administration/implementing-proxy-ssl-on-a-single-big-ip-system.html