Forum Discussion

Nimbostratus

Aug 18, 2009

client certificate authentication for a particular directory

Hi I need to use client certificate authentication for a particular directory, for example: on https://demo.com (no authentication needed) https://d...

config

design

hooleylist

Cirrostratus

Aug 20, 2009

You'll need to set the client SSL profile to ignore client certs. In the iRule, after examining the requested URI and finding a request to a restricted URI, you'll want to renegotiate the SSL handshake with the client and dynamically set the client SSL filter to request a client cert. You can do this using:

HTTP::collect

SSL::session invalidate

SSL::authenticate always

SSL::authenticate depth 9

SSL::cert mode request

SSL::renegotiate

Make sure to include 'SSL::session invalidate' to force browsers to renegotiate a new SSL session ID. Not all versions of IE will do this otherwise.

Aaron

Forum Discussion

client certificate authentication for a particular directory

Recent Discussions

Big-IP Next 20.2.0-2.375.1+0.0.43 iRule count problem

URL

Problems connecting to vpn after upgrading to ubuntu 24.04

Wildcard SSL Certificate Deployment on F5 LTM

iRule resulting in too many redirects

Related Content

APM Clientless certificate authentication

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

BIG-IQ Client Certificate (PKI) Authentication

Automating ACMEv2 Certificate Management on BIG-IP

Doing mTLS Authentication per URL