Forum Discussion
Yoann_Le_Corvi1
Cumulonimbus
Hi
I did not test it, but something like this should help :
when CLIENT_ACCEPTED {
set clientCertPresent 0
}
when CLIENTSSL_CLIENTCERT {
set subject_dn [X509::subject [SSL::cert 0]]
if { $subject_dn != "" }{
set clientCertPresent 1
}
}
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/uri1" || [HTTP::uri] starts_with "/uri2"} {
if {not [matchclass [IP::remote_addr] equals NOCERT_IP_LIST] && $clientCertPresent equals "0" } {
SSL::session invalidate
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode require
set cmd "SSL::profile /Common/require_clientssl"
eval $cmd
SSL::renegotiate
event disable all
} else {
HTTP::redirect "https://my.error.page.com/error.htm"
}
}
}
}
hope this helps.
Yoann
jaikumar_f5
Oct 19, 2020MVP
Also if Op like to capture CN alone, he can go with first checking if there was any cert provided at all, [SSL::cert count] > 0. based on that trigger the if block, if it passes, then capture the CN or entire subject accordingly. If planning to capture CN, here,
[findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","]
And if you want to throw a custom page, just go with this,
HTTP::respond 403 content "<html>The requested URI - [HTTP::host][HTTP::uri] is restricted, your provided client certificate (CN=[findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","]) is not allowed to access. Contact admin</html>"