How to use a public CA on the Client Cert profile and OCSP validation a non-public end user certificate

See the following settings: ltm virtual gestores2-rj2.bnymellon.com.br-vip-443 { auth { **dreyfusbrascan_ca_profile** } destination 170.61.199.134:https ip-protocol tcp mask 255.255.255.255 persist { source_addr_ { default yes } } pool gestores2-rj2.bnymellon.com.br-pool-80 profiles { gestores2.bnymellon.com.br-clientssl { context clientside } microsoft_iis_https_http-wan-optimized-compression_shared_http { } tcp-custom-30min { } } } ____________________________________ ltm auth profile dreyfusbrascan_ca_profile { configuration dreyfusbrascan_ca_cfg credential-source http-basic-auth defaults-from ssl_ocsp idle-timeout 5400 rule auth_ssl_ocsp8 } _______________________ ocsp responder DreyfusBrascanCA_CRL { url "http://170.61.198.73/ocsp" ca file "Dreyfus-ca-bundle.crt" ignore aia enable nonce disable validity period 3600 _________________ ltm profile client-ssl gestores2.bnymellon.com.br-clientssl { allow-non-ssl disabled authenticate once authenticate-depth 9 ca-file intermediate-ca-bundle.crt cert sma.bnymellon.com.br.10152014.crt chain intermediate-ca-bundle.crt client-cert-ca Dreyfus-ca-bundle.crt defaults-from clientssl key sma.bnymellon.com.br.10152014.key peer-cert-mode request renegotiate-max-record-delay 4294967295 renegotiate-period 3600 renegotiation enabled secure-renegotiation request strict-resume enabled unclean-shutdown enabled } ___________

when RULE_INIT { set ::key [AES::key 128] }   when CLIENT_ACCEPTED { set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp] use the following logging line for troubleshooting only log local0. "Client Address: [IP::client_addr]" } when CLIENTSSL_CLIENTCERT { Check certificate validity if {[SSL::cert count] > 0}{ set ssl_cert [SSL::cert 0] set ssl_errstr [X509::verify_cert_error_string [SSL::verify_result]] Set results in the session so they are available to other events 0=The certificate, 1=The validation error, 2=Revocation status set ssl_stuff [list anything1 anything2 anything3] lset ssl_stuff 0 $ssl_cert lset ssl_stuff 1 $ssl_errstr lset ssl_stuff 2 "" session add ssl [SSL::sessionid] $ssl_stuff 5400 Check revocation status of the certificate with the OCSP servers AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0] AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0] AUTH::authenticate $tmm_auth_ssl_ocsp_sid set id [SSL::sessionid] SSL::handshake hold } else { log local0. "No certificate provided" } Log results log local0. "Client IP: [IP::remote_addr]" } when AUTH_RESULT { AUTH::status values:    https://clouddocs.f5.com/api/irules/AUTH__status.html     0 = success     1 = failure    -1 = error     2 = not-authed    if {[AUTH::status] == 0} { log local0. "AUTH_SUCCESS" if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} { log local0. "OCSP servers say the certificate is good" lset ssl_stuff 2 "success" } } elseif { [AUTH::status] == -1} { log local0. "AUTH_ERROR" if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} { log local0. " An error occurred communicating with the OCSP servers" lset ssl_stuff 2 "error" } } else { log local0. "AUTH_FAILURE" if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} { log local0. " OCSP servers say the certificate was revoked" lset ssl_stuff 2 "failure" } } SSL::handshake resume session add ssl $id $ssl_stuff } when HTTP_REQUEST { Retrieve certificate information from the session set ssl_stuff2 [session lookup ssl [SSL::sessionid]] log statements below are to allow admin to view cert results through logs log local0. "Client IP [IP::remote_addr] connected with the Client Certificate: [X509::subject $ssl_cert], requesting: [HTTP::method]/[HTTP::host][HTTP::uri], browser: [HTTP::header User-Agent], Referer: [HTTP::header exists Referer], HTTP version [HTTP::version], Persitance Cookie: [HTTP::cookie exists JSESSIONID], SSL: [SSL::cipher name]/[SSL::cipher version]/[SSL::cipher bits]" if { $ssl_stuff2 == "" } { log local0. "No certificate was supplied, redirecting" log local0. "Cert Auth = Failed" HTTP::redirect "http://www.bnymellon.com.br/custerr/403-7.htm" } else { A certificate was supplied set ssl_cert2 [lindex $ssl_stuff2 0] set ssl_errstr2 [lindex $ssl_stuff2 1] set ssl_revoke2 [lindex $ssl_stuff2 2] log local0. "Certificate Information, Trusted Certificate Validation: $ssl_errstr2, OCSP Revocation Statue: $ssl_revoke2" if { $ssl_errstr2 eq "ok" } { The certificate has passed Trusted Certificate Validation Below are the OCSP states switch $ssl_revoke2 { "error" { An error occurred communicating with the OCSP servers HTTP::redirect "http://www.bnymellon.com.br/custerr/403-13.htm" log local0. "OCSP error was redirected" } "failure" { version of verisign cert is not in OCSP server--must allow without verifying revocation status if { [X509::issuer $ssl_cert2] contains "OU=Geotrust" } { log local0. "Cert is from verisign, Cert issuer - [X509::issuer $ssl_cert2]" HTTP::header insert CertAuth "Pass" HTTP::header insert SSLClientCertSubject [X509::subject $ssl_cert2] } else { The cert was actually in OCSP server as a revoked cert HTTP::redirect "http://10.1.1.1/revokedcert.html" HTTP::redirect "http://www.bnymellon.com.br/custerr/403-13.htm" log local0. "Revoked certificate was redirected" } } "success" { The certificate is valid, the user is authenticated. Add the certificate subject so the web servers can lookup the the user's account and priviledges HTTP::header insert CertAuth "Pass" HTTP::header insert SSLClientCertSubject [X509::subject $ssl_cert2] } default { We should not get here, I don't know what happened log local0.error "Invalid revocation status = $ssl_revoke2" reject } } } else { The certificate was invalid. we should not get here HTTP::redirect "http://www.bnymellon.com.br/custerr/403-7.htm" log local0. "Invalid certificate was redirected" } } } ____________