AnsweredAssumed Answered

How do I limit policy access by client certificate?

Question asked by jcrivkin on Sep 27, 2016
Latest reply on Apr 6, 2018 by PavanReddy

I would like to create a policy that requires the request to contain a particular client certificate.

 

I created a policy containing an assertion "Require SSL or TLS Transport with Client Certificate Authentication".  When we send a request without a certificate, the request is rejected.  It works fine with a valid certificate.  However, it appears that any valid certificate is accepted.  I would like to limit which certificates are accepted.  Ideally I would do this in the require SSL assertion.  

 

Lacking the ability to limit the request to particular certificates, I tried to examine the certificate and match on attributes such as subject.CN.  I added an assertion "Extract Attributes from Certificate".  However, this assertion always evaluates to false.  I cannot examine the certificate even though I can only reach the assertion if the request contains a certificate.

 

Any suggestions on why "Extract Attributes from Certificate" always evaluates to false?

 

Is there a different approach to limiting access to a policy by certificate?

Outcomes