APM: Multiple Cert Check

Question

In my AP right now, I have a machine cert inspection. I have it set to only look for one issuer right now. I would like for it to check from two different issuers. Is there a way to do this in one client cert check, or do I need to have a fallback with the other issuer? I tired doing an OR statement in the Issuer but it didn't like that. Is there any other tricks or do I just need to create two inspections with fallbacks like I have currently?

 CN=CA1, DC=ABC, DC=COM
      or
 CN=CA2, DC=ABC, DC=COM

CN=CA1, DC=ABC, DC=COM
      or
 CN=CA2, DC=ABC, DC=COM

seth_cooper · Answer

You will need to check for one issuer then fallback to the other issuer if the first check doesn't pass.  You will not be able to do an "OR" statement in the issuer.
You can use a regex if you would like.  The following is from the online help for the Machine Cert Action.
Specifies a regular expression to use to match the Issuer content against the specified pattern.
The order of RDNs is the same as is displayed; the required separator is a comma ,.
Example 3. Regex extraction
Partial match. CN=.*, OU=FP, O=F5, L=San Jose, S=CA, C=US
Exact match. E=test@f5.com, CN=f5clientrootcert, OU=es, O=f5, L=london, S=chertsey, C=uk

You could have something like CN=CA.*, DC=ABC, DC=COM and that should match CA1 and CA2.
-Seth

Forum Discussion

APM: Multiple Cert Check

1 Reply

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

APM - Software Check Antivirus does not work on Linux platforms

Check a Virtual Server's SSL Status

Leaked Credential Check with Advanced WAF

Using F5 Distributed Cloud DNS Load Balancer health checks and DNS observability

snmp-check external monitor