Forum Discussion

Jonas_Karlsson_'s avatar
Jonas_Karlsson_
Icon for Nimbostratus rankNimbostratus
Oct 10, 2018

Insert missing UPN into certificate?

Hi, I'm trying to insert the UPN field in an smartcard authentication session and sent that smartcard info to the beackend servers. Today I've got smartcards that are missing the othername:UPN and the application requires the UPN field

 

the field in the certificate today have

 

X509v3 Subject Alternative Name: email:user@domain

 

Is there any way to use "SSL::extensions insert" or other function to get the result below?

 

X509v3 Subject Alternative Name: othername:UPN, email:user@domain

 

Thanks!

 

APM
application delivery
iRules

3 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 10, 2018

    SSL::extensions is designed to insert parameters into the server side SSL handshake, not to modify attributes of a certificate. In fact if you tried to manipulate the certificate, you'd break its corresponding digital signature.

     

    On a side note, if you attach SSL profiles to a VIP, you cannot send the smart card certificate all the way to the server.

     

  • Jonas_Karlsson_'s avatar
    Jonas_Karlsson_
    Icon for Nimbostratus rankNimbostratus
    Oct 10, 2018

    Thank you. That is good to know that a certificate can't be modified without breaking the signatures.

     

    But maybe there is another way? Let's say you use the smartcard without the preffered attributes just to start an APN session by mapping the login with another attribute on the certificate. Then query AD for the user account. Then somehow make a new temporary certificate (bake it within f5) to present to the server that now holds the preffered attributes. Maybe ,probably better to reissue the smartcards (thousands..)