cancel
Showing results for 
Search instead for 
Did you mean: 

Insert missing UPN into certificate?

Jonas_Karlsson_
Nimbostratus
Nimbostratus

Hi, I'm trying to insert the UPN field in an smartcard authentication session and sent that smartcard info to the beackend servers. Today I've got smartcards that are missing the othername:UPN and the application requires the UPN field

 

the field in the certificate today have

 

X509v3 Subject Alternative Name: email:user@domain

 

Is there any way to use "SSL::extensions insert" or other function to get the result below?

 

X509v3 Subject Alternative Name: othername:UPN, email:user@domain

 

Thanks!

 

3 REPLIES 3

Kevin_Stewart
F5 Employee
F5 Employee

SSL::extensions is designed to insert parameters into the server side SSL handshake, not to modify attributes of a certificate. In fact if you tried to manipulate the certificate, you'd break its corresponding digital signature.

 

On a side note, if you attach SSL profiles to a VIP, you cannot send the smart card certificate all the way to the server.

 

Jonas_Karlsson_
Nimbostratus
Nimbostratus

Thank you. That is good to know that a certificate can't be modified without breaking the signatures.

 

But maybe there is another way? Let's say you use the smartcard without the preffered attributes just to start an APN session by mapping the login with another attribute on the certificate. Then query AD for the user account. Then somehow make a new temporary certificate (bake it within f5) to present to the server that now holds the preffered attributes. Maybe ,probably better to reissue the smartcards (thousands..)

 

Kevin_Stewart
F5 Employee
F5 Employee

See Client Certificate Constrained Delegation. This 13.1 LTM feature allows you to forge client certificates to internal servers.