Forum Discussion

alanjohnson7467's avatar
Jul 10, 2019
Solved

Extract SAN from Client SSL Certificate & Insert into HTTP Header

Hi folks,

I'm working with some co-workers to setup some Slack.com forwarding in our environment. Mutual TLS and the insertion of the SAN from the client certificate into a HTTP header is a requirement. Can anyone help me come up with an iRule or LTM Policy to extract the SAN/CN from the client SSl cert and insert it as a HTTP header? Here's some additional info from Slack:

Configure your TLS-terminating server to request client certificates. Your server should accept client certificates issued by DigiCert SHA2 Secure Server CA, an intermediate CA under DigiCert Global Root CA. These CAs are included in many standard CA certificate bundles.

1- Extract either of the following fields in the certificate.
Subject Alternative Name: DNS:platform-tls-client.slack.com. By RFC 6125, this is the recommended field to extract.
or Subject Common Name: platform-tls-client.slack.com.

2- Inject the extracted domain into a header, and forward the request to your application server. Here's an example header you might add to the request: X-Client-Certificate-SAN: platform-tls-client.slack.com. Whatever you choose to call your header, check to make sure this header hasn't already been added to the request. Your upstream application server must know that the header was added by your TLS-terminating server as part of the Mutual TLS process.

  • Eric_Chen's avatar
    Eric_Chen
    Aug 28, 2019

    When I apply that iRule my test cert works. Not sure why your environment is different. Here's an alternate iRule you could try.

    when HTTP_REQUEST {
      if {[SSL::cert 0] ne ""}{
        set tmpcn [X509::subject [SSL::cert 0]]
        set cn [findstr $tmpcn "CN=" 3]
        HTTP::header replace X-Client-Certificate-SAN $cn
        
      } else {
        HTTP::header remove X-Client-Certificate-SAN
      }
    }

    My test results.

     curl -k --cert ./platform-tls-client.slack.com.crt --key ./platform-tls-client.slack.com.key https://192.168.1.200:8443/headers.json
    {"User-Agent":"curl/7.29.0","Host":"192.168.1.200:8443","Accept":"*/*","X-Client-Certificate-SAN":"platform-tls-client.slack.com"}

    Here's what my config looks like.

    ltm virtual test_vs {
        creation-time 2019-08-27:10:03:53
        destination 192.168.1.200:pcsync-https
        ip-protocol tcp
        last-modified-time 2019-08-27:10:20:58
        mask 255.255.255.255
        pool slack_pool
        profiles {
            http { }
            mtls_clientssl {
                context clientside
            }
            tcp { }
        }
        rules {
            slack2
        }
        source 0.0.0.0/0
        source-address-translation {
            type automap
        }
        translate-address enabled
        translate-port enabled
        vs-index 3
    }
     
    ltm profile client-ssl mtls_clientssl {
        app-service none
        authenticate-depth 0
        ca-file f5ca
        cert-key-chain {
            default {
                cert default.crt
                key default.key
            }
        }
        defaults-from clientssl
        inherit-ca-certkeychain true
        inherit-certkeychain true
        peer-cert-mode require
    }
     
    ltm rule slack2 {
    when HTTP_REQUEST {
      if {[SSL::cert 0] ne ""}{
        # extract SAN
        set santemp [findstr [X509::extensions [SSL::cert 0]] "Subject Alternative Name" 32 ","]
        # remove DNS: prefix
        set san [findstr $santemp "DNS" 4]
        # insert X-Client-Certificate-SAN header
        HTTP::header replace X-Client-Certificate-SAN $san
     
      } else {
        HTTP::header remove X-Client-Certificate-SAN
      }
    }
    }

8 Replies

    • alanjohnson7467's avatar
      alanjohnson7467
      Icon for Cirrus rankCirrus

      Hi Eric,

       

      Our application owners have finally gotten around to testing this and we are running into a slight problem. The header is getting inserted, but is including this full value which seems to be breaking things:

       

      platform-tls-client.slack.com X509v3 Key Usage: critical Digital Signature

       

      ...do have any suggestions on how to remove the extra info in the value?

       

       

      Thanks!

      • Eric_Chen's avatar
        Eric_Chen
        Icon for Employee rankEmployee

        Can you send me a sample of your iRule? It is "weird" that it is grabbing that extra information. If you have a way to dump a copy of the Slack cert it would help. Here's my "test" cert that I have been using.

        -----BEGIN CERTIFICATE-----
        MIIDujCCAqKgAwIBAgIUWzmeqJiZXLywAc2KXLDkQpdGX1wwDQYJKoZIhvcNAQEL
        BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT
        B1NlYXR0bGUxFDASBgNVBAoTC0Y1IE5ldHdvcmtzMQ0wCwYDVQQLEwREZW1vMB4X
        DTE5MDcxMDE2MjUwMFoXDTI0MDcwODE2MjUwMFowKDEmMCQGA1UEAxMdcGxhdGZv
        cm0tdGxzLWNsaWVudC5zbGFjay5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
        ggEKAoIBAQCzuteu/69oCkhHe7gmyqo+m3BIs73WN419bKt0piYL/qkq6jkZydjq
        5cq0Ne/6og9tXvzwX/B00+kyuccq0kv+lBFXSvO6N4mx5CZCWBmGGcEqCQ82lTwZ
        B9SE7vsk1kG9WxxMR3M65fEC6mzPNpy7SDj33pGnkpwkmDbvGY45uqYWG8oRxUEV
        wfU+HkjkuK6Ny9Ag5n+2naDblkpVfebEXaFqzjdUyuRL8ACpX2u9TW9H6crt08Gc
        rNctNwS5HWuntf9XaMFUQeesnCTggfCRvQkFr4D3AalpZGEuBC7mp8CJhG7gFLbz
        zzwdK+i+q9Q/FDMts3F067Rb9/AYi7CfAgMBAAGjgaowgacwDgYDVR0PAQH/BAQD
        AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA
        MB0GA1UdDgQWBBT19sITL/5oD6wi+PTEI/XSA0dwnDAfBgNVHSMEGDAWgBRkzB44
        eEQlLGaY1CwbuiVRM/cPijAoBgNVHREEITAfgh1wbGF0Zm9ybS10bHMtY2xpZW50
        LnNsYWNrLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEADPscLML2jmY6byf306FVmtUV
        YT/2COAEySdGbmXm2rAeuINyFCOypNg/RhBIi9WyicicHVFjpskVizli+Qaom90h
        L1g7MbMhqGL6jUGp81+L4ZJDlQXeJSDu9/KPg1FdiJdK/fe0kQoFFU7ENAjUpclt
        7tYtlSQ6idVESZOzPk1Fu7/YCMtiWKNBPnF13fic4rF9Rg/wnX/Ct2Ji/WUSiQ/2
        9gZX+YHPm3qm4DFn2fJV6gFKurWyClIai0AX1/+C4rpUJvWi2U/CElAcy4YNm7Vv
        ON34sdFIMmfwLksKvA5AuNXFLefc7x/5PaBsDF26syv+NkVcyMjoiQ2T9QtoAQ==
        -----END CERTIFICATE-----

        and my test CA

        -----BEGIN CERTIFICATE-----
        MIIDpjCCAo6gAwIBAgIUSpuabxnXu19oLF0fLKu17PNAtqEwDQYJKoZIhvcNAQEL
        BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT
        B1NlYXR0bGUxFDASBgNVBAoTC0Y1IE5ldHdvcmtzMQ0wCwYDVQQLEwREZW1vMB4X
        DTE4MDQyMDA2NDMwMFoXDTIzMDQxOTA2NDMwMFowWTELMAkGA1UEBhMCVVMxEzAR
        BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxFDASBgNVBAoTC0Y1
        IE5ldHdvcmtzMQ0wCwYDVQQLEwREZW1vMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
        MIIBCgKCAQEA5B7v5d/xsEWcmLfhtHDZAE8vAn3qmiEMLT5lFSdxzCg6h0JkqeDF
        iv50OGW00h2almjgEDMW+ldmjW+bSlWz5kpqdmzTXLnmw6/UN4Da+8odsw0abplS
        6DNz/xjWcdw4YiLFY167AmtDUNXaJ/jTBAgWGYJy/rl2u1vpi1CWiJozpR/g/Jsb
        bAxPXG54ZZi2yUbCVh12DmjAqBfU3LFCvvOQHYyjCon76sLnXifrWSjb8EOVJZc8
        Vw3IdRq0vf74Q62RgQXNAd1G5hme7kl/RdrrWqxlxCK8XXU2RSVnAX5baVxY/HC0
        lvXKsfFbJec+DkTAaZLZN4KJLfkvoylLXQIDAQABo2YwZDAOBgNVHQ8BAf8EBAMC
        AQYwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUZMweOHhEJSxmmNQsG7ol
        UTP3D4owHwYDVR0jBBgwFoAUZMweOHhEJSxmmNQsG7olUTP3D4owDQYJKoZIhvcN
        AQELBQADggEBAN0914undNu7bLOk+wVOTvfkL14jAoRCmv/rQBwvJoWNuU7d7TKk
        D0SZ/GME8kNg9RIAY/POCTiISrORIkoMwt4eLv0bDejualvJ7MwqOvgdFby6BuGg
        5dVioFfcwQA/i4L0smHX8QY+w8+RlD7DZnHKcx/C7sPHCkrqmLYLDQSalvv8KgwF
        mBB/SBS/yACKpaJPCC3Vlj7aPt5aS6GmH25LpAeDM7LLrDHLj+osLbhkGou0ifYy
        8RelfbJlI37NjVMJRWF1EsuSG0xYJPFg9/nqM6UPUHxLx+MmSJ6ibBj6MF6cYkKQ
        5Okq/kt3E65/mPltGVmGYPFzwfqLIJFx13E=
        -----END CERTIFICATE-----