AnsweredAssumed Answered

Instantiating a certificate object (without having cert from authN; without having cert in trust store)

Question asked by ivan.henault on May 16, 2017
Latest reply on May 16, 2017 by Stephen_Hughes

Hello everyone,


We know that a certificate can be loaded into the appropriate certificate object (request.ssl.clientCertificate.*) under these conditions:


- authentication

- message signing

- look up certificate


Each of these requires having access to the target certificate either from authentication, from a signed message or element, or from the trust store.


Is there any way to instantiate the certificate object by just having a PEM encoded certificate in a string?


Here's the scenario:

- the client has a need for requestor ip

- the client refuses to disable or workaround source network address translation at the load balancer (snat prevents the requestor ip from being visible to the gateway)

- the gateway must validate the association between a client certificate and an api key (as a step in a mutual authentication policy)

- load balancer will pass the PEM encoded cert to the gateway via http header

- gateway will compare passed PEM value with its own record to confirm that client certificate is associated with api key

- gateway will need access to certain details like subject, issuer, validity dates; this can only happen if the certificate is set as a 


So... in order to still be able to have the requestor IP, the gateways will have to rely on the load balancer to terminate SSL. This also means that the load balancer must collect the client certificate and pass it back to the gateway.


The gateway's current mutual auth policy relies on pinned certificates. 


It is easy enough to compare the incoming PEM in the header with the value we have stored, but I want to have access to the subject, issuer, validity dates, serial, etc. This is what is not possible as yet (unless someone has found a way).