Forum Discussion
1 Reply
- Kevin_StewartEmployee
The answer to this question depends largely on which type of pinning you're talking about.
Generally speaking, certificate pinning requires a priori knowledge of the server's certificate, or the issuer of the server's certificate. This means that a user agent, a browser, mobile client, Dropbox or AV update client, will come pre-loaded with a list of sites and their corresponding "known" certs (or at least cert signature). In this case, there's really nothing that a proxy (ie. LTM) could do to configure certificate pinning.
Public key pinning more or less refers to a different, more flexible approach that allows a server to send "pins" (certificate signatures). HTTP Public Key Pinning (HPKP) provides a method to send these pins as an HTTP header, the "Public-Key-Pins" header. See this Mozilla article for more details:
https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning
In this case it's rather trivial to configure LTM to provide public key pins, either in an iRule or LTM policy. To do it in an LTM policy, you'd specify the following in the Actions setting of a Rule:
Target: http-header Event: response Action: insert (or replace) Parameters: name: Public-Key-Pins value: [derived values for your target certificate]