Forum Discussion
Kevin_Stewart
Nov 05, 2012Employee
In a word, no.
When the client sends its certificate to the server, it does so AFTER digitally signing a portion of the response with its private key. In order to pass the client's certificate in an SSL negotiation to the server, BIG-IP would have to have a copy of the client's private key.
You have at least two options:
1. ProxySSL - this is a "man-in-the-middle" SSL technique that allows the BIG-IP to be part of the SSL negotiation between endpoints. So you get complete end-to-end SSL but also the ability to (transparently) decrypt and inspect the HTTP data. It's available starting with v11.
2. Decrypt and pass HTTP headers - if you can justify terminating the SSL at the BIG-IP (with the added performance benefit), this is a tried and true solution. Terminate the SSL and send the X509 certificate data in an HTTP header (or other data component).