Difference between revisions of "Client Auth via PKI"
From Tech-Wiki
(Created page with "Category:F5 Networks '''Back to iRules''' # add datagroup CertificateCA #String: DigiCert Server CA #Value: www.domain.com when CLIENTSSL_CLIEN...") |
|||
| Line 6: | Line 6: | ||
#Value: www.domain.com | #Value: www.domain.com | ||
when CLIENTSSL_CLIENTCERT { | when CLIENTSSL_CLIENTCERT { | ||
| − | + | set SubCN [findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","] | |
| − | + | set IssCN [findstr [X509::issuer [SSL::cert 0]] "CN=" 3 ","] | |
| − | + | if {[class match $IssCN equals CertificateCA]}{ | |
| − | + | set name [class match -value $IssCN equals CertificateCA] | |
| − | + | if {$name ne ""} { | |
| − | + | if { $name eq $SubCN } { | |
| − | + | } else { | |
| − | + | reject | |
| − | + | } | |
| − | + | } else { | |
| − | + | reject | |
| − | + | } | |
| − | + | } else { | |
| − | + | } | |
} | } | ||
Revision as of 15:59, 20 May 2019
# add datagroup CertificateCA
#String: DigiCert Server CA
#Value: www.domain.com
when CLIENTSSL_CLIENTCERT {
set SubCN [findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","]
set IssCN [findstr [X509::issuer [SSL::cert 0]] "CN=" 3 ","]
if {[class match $IssCN equals CertificateCA]}{
set name [class match -value $IssCN equals CertificateCA]
if {$name ne ""} {
if { $name eq $SubCN } {
} else {
reject
}
} else {
reject
}
} else {
}
}