In this case, the BIG-IP is terminating SSL connections but the backend web server needs the information from the certificate but doesn't want the BIG-IP to re-encrypt the traffic to the node.

We have successfully configured the BIGIP device to require client certificates - it accepts the certs and passes the traffic through. Now, we need to be able to read and manipulate the client cert at the backend IIS web server via ASP/ASP.NET code.

No problem. With iRules you have full access to the client certificate and it's fairly simple to base64 encode the entire client certificate in a HTTP header and pass it to the backend webserver. Here's what wthem finally came up with with some guidance from the DevCentral team.

when CLIENTSSL_HANDSHAKE
{
  set cur [SSL::sessionid]
  set ask [session lookup ssl $cur] 
  if { $ask eq "" } { 
    session add ssl [SSL::sessionid] [SSL::cert 0]
  }
}

when HTTP_REQUEST
{
  set id [SSL::sessionid]
  set the_cert [session lookup ssl $id]
  if { $the_cert != ""}
  {
    HTTP::header replace SSLClientCert [b64encode $the_cert]
  }
}

Search Google for Base64 and VB and you should find a implementation of the decoding method (or check the forum thread below...

Click here for the original thread.

-Joe

[Listening to: Ants Marching - Dave Matthews Band - Central Park Concert (2 of 3) (05:51)]