Forum Discussion

Shawn_Salyers_8's avatar
Icon for Nimbostratus rankNimbostratus
Dec 16, 2010

Client Certificate Help Needed!!!!

I have been searching the forums and have not been able to find an iRule example that I am able to get working. Simply put, I need to require a client certificate and allow access based on the thumbprint of the cert. I will store the thumbprints in a datagroup if the thumbprint exists access is granted.



Any help would be GREATLY appreciated!




4 Replies

  • Hi Shawn,



    Which LTM version are you running? The format for such a rule has changed somewhat in the various versions.



    Thanks, Aaron
  • This example is something you could start with:





    You could add logic to one of those examples, which after validating the client cert, adds the client's ssl ssession ID to the session table:





    That way you could support SSL session resumption in the client SSL profile and only check the cert once per session.



  • So this is what I have come up with so far:





    set serial_dn [X509::serial_number [SSL::cert 0]]


    log "Client Certificate Received: $serial_dn"


    if { ([matchclass $serial_dn contains $::ClientCert])} {


    Accept the client cert


    log "Client Certificate Accepted: $serial_dn"


    } else {


    log "No Matching Client Certificate Was Found Using: $serial_dn"









    It basically checks the serial number of the client cert and see if it matches an entry in the Data Group.



    Can I add anything to this to make it better? How can I add the serial number to the header so that it can get logged on the webserver side?



    Thanks for the guidance and suggestions!