Looking for an iRule to use that will check for a specific machine CERT and if not found redirect to a custom URL. Any help is appreciated it. Thank you.

More specifically I want to check the CN and Certificate Template Information field.

Something like this could do the trick. You may have to tweak to your needs. You will also need to set your client auth in your client SSL profile to request. https://devcentral.f5.com/wiki/iRules.X509__subject.ashx https://devcentral.f5.com/wiki/iRules.SSL__cert.ashx when HTTP_REQUEST { if {[SSL::cert count] > 0}{ set cert_subject [X509::subject [SSL::cert 0]] if {$cert_subject equals "CN..."}{ return } else { if cert doesn't contain required subject, redirect HTTP::respond 302 noserver Location "https://someurl" } } else { if no cert presented, redirect HTTP::respond 302 noserver Location "https://someurl" } }

Thanks for the reply Brad, I'm looking for a more granular approach if possible as we do have some certs that will be on client machine with the same CN. Is it possible to query the Certificate Template Name field as well as the CN?

CertChk + Redirect | DevCentral

11 Replies

Soap_111722
Nimbostratus
Oct 27, 2015
More specifically I want to check the CN and Certificate Template Information field.
Brad_Parker_139
Nacreous
Oct 27, 2015
Something like this could do the trick. You may have to tweak to your needs. You will also need to set your client auth in your client SSL profile to request.

https://devcentral.f5.com/wiki/iRules.X509__subject.ashx

https://devcentral.f5.com/wiki/iRules.SSL__cert.ashx

when HTTP_REQUEST { if {[SSL::cert count] > 0}{ set cert_subject [X509::subject [SSL::cert 0]] if {$cert_subject equals "CN..."}{ return } else { if cert doesn't contain required subject, redirect HTTP::respond 302 noserver Location "https://someurl" } } else { if no cert presented, redirect HTTP::respond 302 noserver Location "https://someurl" } }
- Soap_111722
  Nimbostratus
  Oct 27, 2015
  Thanks for the reply Brad, I'm looking for a more granular approach if possible as we do have some certs that will be on client machine with the same CN. Is it possible to query the Certificate Template Name field as well as the CN?
- Brad_Parker_139
  Nacreous
  Oct 27, 2015
  Are those certs issued from the same CA?
- Soap_111722
  Nimbostratus
  Oct 27, 2015
  Yes, they are and that is the problem.
Brad_Parker
Cirrus
Oct 27, 2015
Something like this could do the trick. You may have to tweak to your needs. You will also need to set your client auth in your client SSL profile to request.

https://devcentral.f5.com/wiki/iRules.X509__subject.ashx

https://devcentral.f5.com/wiki/iRules.SSL__cert.ashx

when HTTP_REQUEST { if {[SSL::cert count] > 0}{ set cert_subject [X509::subject [SSL::cert 0]] if {$cert_subject equals "CN..."}{ return } else { if cert doesn't contain required subject, redirect HTTP::respond 302 noserver Location "https://someurl" } } else { if no cert presented, redirect HTTP::respond 302 noserver Location "https://someurl" } }
- Soap_111722
  Nimbostratus
  Oct 27, 2015
  Thanks for the reply Brad, I'm looking for a more granular approach if possible as we do have some certs that will be on client machine with the same CN. Is it possible to query the Certificate Template Name field as well as the CN?
- Brad_Parker
  Cirrus
  Oct 27, 2015
  Are those certs issued from the same CA?
- Soap_111722
  Nimbostratus
  Oct 27, 2015
  Yes, they are and that is the problem.