CLIENTSSL_CLIENTCERT¶
Description¶
Triggered when the system receives a certificate message from the
client. The message may contain zero or more certificates. The BIG-IP
system can retrieve the X509 certificate and its X509 issuer with the
SSL::cert and SSL::cert issuer commands.
Examples¶
when CLIENTSSL_CLIENTCERT {
# Save the first client cert to a variable. Not sure why, but...
set ssl_cert [SSL::cert 0]
# Using the SSL session ID as the key,
# add the cert to the session table with a timeout of 180 seconds
session add ssl [SSL::sessionid] $ssl_cert 180
}
when CLIENTSSL_CLIENTCERT {
# Debug flag
set debug 1
# Check if client presented a cert after it was requested/required
if {[SSL::cert count] > 0}{
# Client presented at least one cert. The actual client cert should always be first.
if {$debug > 1}{
# Loop through each cert and log the cert subject, issuer and serial number
for {set i 0} {$i < [SSL::cert count]} {incr i}{
log local0. "[IP::client_addr]:[TCP::client_port]: cert $i; subject=[X509::subject [SSL::cert $i]];\
[X509::issuer [SSL::cert $i]]; cert_serial=[X509::serial_number [SSL::cert $i]];"
}
}
} else {
if {$debug > 1}{log local0. "[IP::client_addr]:[TCP::client_port]: No client cert found!"}
}
}
Sample log output:
: client IP:port=1.1.1.1:3953: cert 0; subject:
emailAddress=some_user@example.com,CN=Some User,OU=Example
OU,OU=Example2 OU; issuer: CN=Example CA Customer CA,O=Secure Internet
Services Ltd.; cert_serial=22:22:22:22:22:22:22:22:22:22;
: client IP:port=1.1.1.1:3953: cert 1; subject: CN=Example CA Customer
CA,O=Secure Internet Services Ltd.; issuer: CN=Example CA Primary
CA,O=Secure Internet Services Ltd;
cert_serial=11:11:11:11:11:11:11:11:11:11;
: client IP:port=1.1.1.1:3953: cert 2; subject: CN=Example CA Primary
CA,O=Secure Internet Services Ltd; issuer: CN=Example CA Root
CA,O=Secure Internet Services Ltd;
cert_serial=00:00:00:00:00:00:00:00:00:00;