Cirrus
EmployeeSo I think it then boils down to how you want users to re-authenticate. The fact that browsers remember your cert selection and won't re-prompt you is something that you're not going to be able to get around. Even if you force an SSL renegotiation by invalidating the current session, the user won't see this. If the intent is to display something for the user to click on, then certificate authentication isn't going to be the best option. If you just need the client to re-submit their certificate, even if that's not visible to the user, then that's already happening as part of the SSL exchange between the client and BIG-IP. You can validate this with a WireShark capture on the client side of the BIG-IP. You'll see the client periodically sending a ClientHello (via new session request, resumed session request, or renegotiation) and the server responding with ServerHello, Server Certificate, and Certificate Request messages. The Certificate Request message causes the client to send a Certificate message and then a Certificate Verify message. The first contains the client's certificate, and the second a hash of that signed by the client's private key.