3

Certificate Header Format in Client Requests

• The SSLClientCertSerialNumber header format

The SSLClientCertSerialNumber header format

One of the options available for configuring an SSL proxy is the ability to insert headers into HTTPS client requests. Some headers correspond to a field of a client certificate, such as certificate status, version, issuer, and signature algorithm. Once the SSL proxy has inserted these headers, you can create a rule that load balances traffic based on the value of these headers.

One of these headers is the SSLClientCertSerialNumber header. In previous releases of the BIG-IP system, if the value of the SSLClientCertSerialNumber header was less than or equal to four bytes, the BIG-IP system displayed that value in decimal format. Any value greater than four bytes was displayed in hexidecimal format.

This inconsistency in format has been removed so that users writing rules to balance traffic based on a client certificate's serial number can write to a consistent format, regardless of the length of the serial number.

The format of the SSLClientCertSerialNumber header, when inserted into a client request, now has the following syntax, where hh is a two-digit hexidecimal number:

SSLClientCertSerialNumber: [(Negative)] hh[:hh]*

Thus, the serial number in the header contains two lower-case hexidecimal digits (0 to f), which represent each byte of the serial number. Each byte is separated by a colon (:). The following are examples of headers in this format:

• SSLClientCertSerialNumber: 10
  This hexidecimal value represents the decimal number 16.
• SSLClientCertSerialNumber: 20:0b:3d
  This hexidecimal value represents the decimal number 2,100,029.
  
  

  If, for some reason, the incoming serial number is explicitly encoded as a negative value, the string (Negative) appears before the serial number. For example:

• SSLClientCertSerialNumber: (Negative) 01
  This hexidecimal value represents the decimal number -1.