Client Certificate CN Checking¶
Description¶
These iRules will check the presented client certificate for a valid
CN, allowing or rejecting
For either example, if you will be examining client certs signed by
a CA not in LTM’s Trusted CA bundle, you will need to add it:
- In Local Traffic / SSL Certificates, import the certificate for the CA that will be used to validate the client certificates.
The first example allows requests from only the specified CN’s from
the same Org:
1. Setup a new Client SSL Profile that contains the virtual server SSL
Certificate. During the creation of this Profile, you will need to set
the following values:
- Configuration = Advanced
- Trusted Certificate Authorities = “Your_Certificate_Authority”
- Client Certificate = require
- Frequency = once
2. Setup a String Data Group containing a list of acceptable CN’s:
class my_cn_list {
"CN=John Smith"
"CN=Amy Black
"CN=Jim Beam"
"CN=Johnny Walker"
}
3. Add this iRule:
when RULE_INIT {
set static::org "O=Your Organisation"
}
when CLIENTSSL_CLIENTCERT {
# Check if client provided a cert
if {[SSL::cert 0] eq ""}{
# Reset the connection
reject
} else {
#Example Subject DN: /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith
set subject_dn [X509::subject [SSL::cert 0]]
log "Client Certificate Received: $subject_dn"
#Check if the client certificate contains the correct O and a CN from the list
if { ([matchclass $subject_dn contains my_cn_list]) and ($subject_dn contains $static::org) } {
#Accept the client cert
log "Client Certificate Accepted: $subject_dn"
} else {
log "No Matching Client Certificate Was Found Using: $subject_dn"
reject
}
}
}
The second example selectively requires a client cert with a
specific CN based on the URI:
1. Setup a new Client SSL Profile that contains the virtual server SSL
Certificate. During the creation of this Profile, you will need to set
the following values:
- Configuration = Advanced
- Trusted Certificate Authorities = “Your_Certificate_Authority”
- Client Certificate = request
- Frequency = once
2. Add one of these iRules, depending on whether you also need to
select a pool based on URI:
With pool selection:
when RULE_INIT {
set static::debug 1
}
when CLIENTSSL_CLIENTCERT {
#Example Subject DN: /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith
set subject_dn [X509::subject [SSL::cert 0]]
if { $subject_dn != "" }{
if { $static::debug }{ log "Client Certificate received: $subject_dn"}
}
}
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/companyA" } {
if { $subject_dn contains "CN=Company A" } {
pool companyA
} else {
reject
}
} elseif { [HTTP::uri] starts_with "/companyB" } {
if { $subject_dn contains "CN=Company B" } {
pool companyB
} else {
reject
}
}
}
Without pool selection:
when RULE_INIT {
set static::debug 1
}
when CLIENTSSL_CLIENTCERT {
#Example Subject DN: /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith
set subject_dn [X509::subject [SSL::cert 0]]
if { $subject_dn != "" }{
if { $static::debug }{ log "Client Certificate received: $subject_dn"}
}
}
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/companyA" } {
if { !($subject_dn contains "CN=Company A") } {
reject
}
} elseif { [HTTP::uri] starts_with "/companyB" } {
if { !($subject_dn contains "CN=Company B") } {
reject
}
}
}
The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.