Forum Discussion
Kevin_Stewart
Oct 07, 2016Employee
There's no clean non-iRule way to do this quite yet, but as Shaun stated you can use a data group to minimize customization of that iRule. If you take a look at this page you can see a lot of options for extracting information from the certification: https://devcentral.f5.com/wiki/iRules.X509.ashx
So you could take a variation of one of the code examples and add the data group.
when CLIENTSSL_HANDSHAKE {
Check if the client supplied one or more client certs
if { [SSL::cert count] > 0 }{
if { not ( [class match [X509::subject [SSL::cert 0]] equals my-cert-subject-dg] ) } {
incoming cert subject didn't match a data group entry
reject
}
} else {
No certificate presented
reject
}
}