I need to move a currently internet facing mTLS VIP behind our CDN. The CDN must terminate the handshake with the originating client and pass the client cert data back to the Netscaler VIP in HTTP headers.
I would like to take the certificate data from the headers and then do a certificate revocation check from my Netscaler. Getting the CDN to do the CRL check appears to be beyond their intellectual capacity.
I am passing the certificate subjecCN string in an API call using an httpCallout to an application tier for authentication. Thus, I need make the HTTP data and make a CRL call after i complete the handshake with the CDN. Not sure if that is even possible or how to go about it. Any ideas welcome.
It's a while since visited the forum. I had to set my account up again. If this should go in a different topic let me know
Here are the relevant headers from the CDN
X-SSL-Client-I-DN: CN=**********************,DC=******,DC=******,DC=***
X-SSL-Client-S-DN: emailAddress=************,CN=************,OU=**************,OU=*********,O=*****,L=************,ST=**,C=US
X-SSL-Client-Verify: FAILED:unable to verify the first certificate
X-SSL-Client-Serial: 680**********************************************C
X-SSL-Client-V-Remain: 116
X-SSL-Client-V-End: Jun 10 11:49:56 2024 GMT
X-SSL-Client-V-Start: Apr 12 11:49:56 2022 GMT
X-SSL-Client-Sha1: 299999999999999999999999999921F
X-SSL-Client-Cert: -----BEGIN%20CERTIFICATE-----%0AM#########0A-----END%20CERTIFICATE-----%0A