Forum Discussion

AndOs's avatar
Icon for Cirrostratus rankCirrostratus
Sep 10, 2011

Forward client certificate info to applications

We have a custom .NET application from a third party that uses client certificate information to authenticate users.


The application runs on a single web server at the moment and handles the SSL processing by itself.


(basically a port forward in the firewall of port 443 to the server)

I would like to load balance the application om multiple servers and do SSL termination in the big-ip.


I have used up all means to make the developer support reading cert info from anything other than the ”built in objects in .NET”.


Is there any tools from F5 or third party products that would let me forward the client certificate information from the big-ip down to the web server and into the application?


Basically something that can get the forwarded cert info from the big-ip and place it into the internals of the server so that the application can read it.


Perhaps it needs to be an ISAPI-filter / IIS module, or a service running on the servers?








5 Replies

  • have you seen this one?



    Request Client Certificate And Pass To Application by alankila




    can your developer read client certificate info from the header?
  • AndOs's avatar
    Icon for Cirrostratus rankCirrostratus
    Thanks for the reply.



    Yes, I've looked at passing the certificate info in headers.


    Unfortunately the company making the application won't support reading the certificate from anything other than what they call ".NET built in objects".


    To put the question another way; If the application can't read cert info from headers, is there any way to get the info into the application? Maybe with a third party module/component?


    May not be F5 products, but perhaps someone know of any other products for this?



    I have been searching around for a solutions for a couple of days now, but not had much luck.


  • It's possible there is a serverside plugin you could use for this. But I'm not aware of one.



    In v11, there is a new feature called Proxy SSL which you can use for this type of scenario where you need to pass the original client cert onto the pool. Basically, you import the server cert/key(s) to LTM. LTM will allow the client and selected pool member to negotiate an SSL handshake directly. LTM watches to see what server cert the pool member uses. It then intercepts subsequent communication and decrypts the SSL allowing you to inspect/modify with the unencrypted content. This includes adding an HTTP profile to the virtual server. I couldn't find much public documentation on this, but you could open a case with F5 Support to request more details and a documentation update.



  • AndOs's avatar
    Icon for Cirrostratus rankCirrostratus
    Thanks for the info!



    I'll look into Proxy SSL



  • here is documentation on Proxy SSL feature: