Forum Discussion

Rick_Norwood's avatar
Rick_Norwood
Icon for Nimbostratus rankNimbostratus
Oct 06, 2020

Constrained Certificate Delegation from HTTP Headers

I have the following configuration setup and am trying to determine how to enable C3D to create a certificate based of provided HTTP headers.

 

Outside F5 (Terminates SSL and inserts headers from validated certificate) -> Middle F5 (AWAF) -> Inside F5 (Re-encrypt and use C3D to connect to the back-end service) -> Apache HTTPD

 

I have C3D enabled on the Inside F5 with a valid self-signed CA for testing.

 

The inserted headers from the Outside F5 are available on the inside Apache HTTP server.

 

How can I enable C3D on the Inside F5 to produce the new certificate with supplied headers?

  • Some attempts I have used is to insert accepted X headers and SSL_CLIENT headers. In both cases I have inserted the X_CLIENT_CERT and SSL_CLIENT_CERT along with associated, subjects, serials, version, etc.