Forum Discussion
hooleylist
Jan 24, 2011Cirrostratus
Hi Miguel,
You might be able to just add both CA root certs to the same bundle and configure that in the client SSL profile.
If that doesn't work, you could potentially select the client SSL profile based on the requested URI. You'd need to use SSL::renegotiate after parsing the URI to determine which client SSL profile to select. You could then call SSL::profile to select that profile. Here are the related wiki pages for this:
http://devcentral.f5.com/wiki/default.aspx/iRules/ssl__renegotiate
http://devcentral.f5.com/wiki/default.aspx/iRules/ssl__profile
Here is a rough, untested idea of what the SSL renegotiation might look like:
when HTTP_REQUEST {
Check the requested path
switch -glob [HTTP::path] {
"/profile1_uri/*" {
HTTP::collect
SSL::session invalidate
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode require
SSL::renegotiate
SSL::profile profile1_clientssl
}
"/profile2_uri/*" {
HTTP::collect
SSL::session invalidate
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode require
SSL::renegotiate
SSL::profile profile2_clientssl
}
}
}
If you try this, add some debug logging, test with a client cert from each CA and reply back with details of any issues you encounter.
Aaron