Forum Discussion

Vasil_Genov's avatar
Vasil_Genov
Icon for Altostratus rankAltostratus
Jan 17, 2022
Solved

iRule to Insert Client Cert into HTTP Header only when Certificate is from certain Root CA

Hello Group,   My curent setup is as follows: I have a HTTPS VS with Clinet SSL profile that has Client Authentication set to Request with Trusted CA and Advertised CA set to appropriate CA. Wh...
  • Vasil_Genov's avatar
    Jan 18, 2022

    I modified the rule and also added a check for existing x-client-cert. Now it seem to work.

    when RULE_INIT {

      set static::org "O=MON"

    }

     

    when CLIENTSSL_CLIENTCERT {

    if {[SSL::cert 0] eq ""}{

      return

      }

    else {

    set issuer_dn [X509::issuer [SSL::cert 0]]

    log "Client Certificate Received: $issuer_dn"

    if { ($issuer_dn contains $static::org) } {

    log "Client Certificate Accepted: $issuer_dn"

    }

    else {

    log "No Matching Client Certificate Was Found Using: $issuer_dn"

    reject

    }

    }

    }

     

    when HTTP_REQUEST {

    foreach header_name [HTTP::header names] {

    if {[string match -nocase x-client-cert $header_name]}{

    HTTP::header remove $header_name

      }

      }

       HTTP::header insert X-Client-Cert [b64encode [SSL::cert 0]]  

    }

     

    I am leaving the full rule here, so if anyone need something similar, it can be used.