X509::subject

Description¶

Returns the subject of the specified X509 certificate.

Syntax¶

X509::subject <X509 certificate>
# v16.1.3
X509::subject <X509 certificate> commonName

X509::subject <X509 certificate>¶

Returns the subject of the specified X509 certificate.

X509::subject <X509 certificate> commonName¶

Returns the subject commonName (CN) found in the specified X509 certificate in UTF8 format.

Note¶

This is introduced in 16.1.3.

Examples¶

when CLIENTSSL_HANDSHAKE {
   # Check if the client supplied one or more client certs
   if {[SSL::cert count] > 0}{

     # Check the first client cert subject
     if { [X509::subject [SSL::cert 0]] equals "someSubject" } {
       log local0. "X509 Certificate Subject [X509::subject [SSL::cert 0]]"
       pool my_pool
     }
     # Check the first client cert subject commonName
     if { [X509::subject [SSL::cert 0] commonName] equals "someCommonName" } {
       log local0. "X509 Certificate Subject [X509::subject [SSL::cert 0] commonName]"
       pool my_pool
     }
   }
 }

This procedure extracts a specific DN.

# note that RFC 2253 special characters are transcoded internally
#
#x509SubjectExtract "C=US,O=Biz.\\,Inc.,OU=UNIT\\=foo,CN=NAME" "O"
#returns Biz.\,Inc.
#x509SubjectExtract "C=US,O=Biz.\\,Inc.,OU=UNIT\\=foo,CN=NAME" "OU"
#returns UNIT\=foo
#
# of course this means %f5equals5% or %f5kommaf5% must not occur in the input string


proc x509SubjectExtract { str sfield } {
    set res "$sfield notFound"
    set str [ regsub -all {\\,} $str  "%f5kommaf5%" ]
    foreach field [ split $str ","] {
        set field [ regsub -all {\\=} $field  "%f5equals5%" ]
        foreach { fname  fval } [ split $field "=" ]  break
        if { $fname eq $sfield } {
            set res [ regsub -all {%f5equals5%} $fval \\=  ]
            break
        }
    }
    set res [ regsub -all {%f5kommaf5%} $res  \\, ]
    return $res
}

Note¶

There is a behavior changed in BIGIP-9.3.0 to support multiple languages and RFC 2253 compliance.

Before the change

/CN=Name/OU=UNIT/O=Biz.,Inc./C=US

After the change

C=US,O=Biz.\,Inc.,OU=UNIT,CN=NAME

The output behavior changed again 13.0.0 due to fixes for ID 607410
(K81239824). It
still supports multiple languages and RFC 2253 compliance.
Comparison to a few OpenSSL output examples.
X509::subject

CN=Name, OU=UNIT, O="Biz.,Inc.", C=US

openssl x509 -in cert -noout -text | grep Subject

Subject: CN=Name, OU=UNIT, O=Biz.,Inc., C=US

openssl x509 -in cert -noout -subject

subject= /CN=Name/OU=UNIT/O=Biz.,Inc./C=US

Related Information¶

Valid Events:

GLOBAL_GTM

Warning

The links to the sample code below are remnants of the old DevCentral wiki and will result in a 404 error. For best results, please copy the link text and search the codeshare directly on DevCentral.

Sample Code:

Client Certificate CN Checking - These iRules will check the presented client certificate for a valid CN. allowing or rejecting
Validate Certificate Common Name and Revocation Status - If you are using the same CA to isssue client certificates to provide secur…

Introduced: BIGIP-9.0.0
Introduced: GTM-11.1.0
Enhanced: BIGIP-16.1.3

The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.

X509::subject¶

Description¶

Syntax¶

X509::subject <X509 certificate>¶

X509::subject <X509 certificate> commonName¶

Note¶

Examples¶

Note¶

Related Information¶