Wiki: iRules API




Triggered when the system receives a certificate message from the client. The message may contain zero or more certificates. The BIG-IP system can retrieve the X509 certificate and its X509 issuer with the SSL::cert and SSL::cert issuer commands.


  # Save the first client cert to a variable.  Not sure why, but...
  set ssl_cert [SSL::cert 0]

  # Using the SSL session ID as the key,
  # add the cert to the session table with a timeout of 180 seconds
  session add ssl [SSL::sessionid] $ssl_cert 180


   # Debug flag
   set debug 1

   # Check if client presented a cert after it was requested/required
   if {[SSL::cert count] > 0}{

      # Client presented at least one cert.  The actual client cert should always be first.
      if {$debug > 1}{

	 # Loop through each cert and log the cert subject, issuer and serial number
         for {set i 0} {$i < [SSL::cert count]} {incr i}{

            log local0. "[IP::client_addr]:[TCP::client_port]: cert $i; subject=[X509::subject [SSL::cert $i]];\
               [X509::issuer [SSL::cert $i]]; cert_serial=[X509::serial_number [SSL::cert $i]];"
   } else {
      if {$debug > 1}{log local0. "[IP::client_addr]:[TCP::client_port]: No client cert found!"}

Sample log output:

<CLIENTSSL_CLIENTCERT>: client IP:port= cert 0; subject:,CN=Some User,OU=Example OU,OU=Example2 OU; issuer: CN=Example CA Customer CA,O=Secure Internet Services Ltd.; cert_serial=22:22:22:22:22:22:22:22:22:22;
<CLIENTSSL_CLIENTCERT>: client IP:port= cert 1; subject: CN=Example CA Customer CA,O=Secure Internet Services Ltd.; issuer: CN=Example CA Primary CA,O=Secure Internet Services Ltd; cert_serial=11:11:11:11:11:11:11:11:11:11;
<CLIENTSSL_CLIENTCERT>: client IP:port= cert 2; subject: CN=Example CA Primary CA,O=Secure Internet Services Ltd; issuer: CN=Example CA Root CA,O=Secure Internet Services Ltd; cert_serial=00:00:00:00:00:00:00:00:00:00;

Related Information

Available Commands:
  • clone - Causes the system to clone traffic to the specified pool or pool member regardless of monitor status.
  • forward - Sets the connection to forward IP packets.
  • IP::idle_timeout - Returns or sets the idle timeout value.
  • ip_ttl - Returns the TTL of the latest IP packet received.
  • lasthop - Sets the lasthop of an IP connection.
  • listen - Sets up a related ephemeral listener to allow an incoming related connection to be established.
  • LSN::address - Set or override translation address.
  • LSN::disable - Disable LSN translation.
  • LSN::inbound - Disable inbound connections to translation address/port.
  • LSN::persistence - Set translation selection mode and persistence timeout.
  • LSN::persistence-entry - Create or lookup translation address.
  • LSN::pool - Specify LSN pool for current connection.
  • LSN::port - Set or override translation port.
  • nexthop - Sets the nexthop of an IP connection.
  • node - Sends the packet directly to the identified server node.
  • peer - Causes the specified iRule commands to be evaluated under the peer’s (opposite) context.
  • persist - Causes the system to use the named persistence type to persist the connection.
  • pool - Causes the system to load balance traffic to the specified pool or pool member regardless of monitor status.
  • session - Utilizes the persistence table to store arbitrary information based on the same keys as persistence.
  • SSL::cert - Returns X509 SSL certificate data.
  • SSL::extensions - Returns or manipulates SSL extensions.

Sample Code:

  • Introduced: BIGIP-9.0.0