Forum Discussion

Francis_Pascual's avatar
Francis_Pascual
Icon for Nimbostratus rankNimbostratus
Nov 18, 2013

Selective Client Certificate Validation

Can you please give me a sample of an irule that validates a particular client certificate (client certificate set to require). Trusted CA certificate is Verisign, specific client cert has this common name, serial number and thumbprint.

 

2 Replies

  • Without more specifics, here's how you'd extract some of the X509 certificate data within an iRule:

    when CLIENTSSL_CLIENTCERT {
        if { [SSL::cert count] > 0 } {
            set commonname [X509::subject [SSL::cert 0]]
            set serial [X509::serial_number [SSL::cert 0]]
    
        }
    }
    

    Again, not very specific, but you can see how to get the common name/subject and cert serial. From there you can perform whatever evaluations you need.

    I also don't believe you can get at the thumbprint within the scope of X509 commands. It is possible through some binary parsing, but waiting to see if you absolutely need that.