If you need to perform a search of a particular piece of data in the SUBJECT or ISSUER fields of a client’s SSL certificate, the CONTAINS and NOCONTAINS Operators will serve you well.  However, if you want to be more granular in your approach, you will likely get frustrated by using the offset values of the Classic AppExpert Expression.

Problems occur when administrators rely on IE’s reporting of the certificate values to determine the offset position within these fields rather than using openssl.  The reason you need to use openssl is because IE (and other browsers and operating systems) tend to incorrectly display the values of these parameters, messing up both the format and the order of the values.  So if you’re going to set offsets, do NOT get your position information from IE!  Use openssl instead.

For example, take a look at my test certificate:







See how IE makes it look as if you should be reading this list (the top half) from left to right? Or (the bottom half) top to bottom?   Unfortunately, these are completely backwards.  Worse, there aren’t any spaces or commas between the substrings.

So if you rely on what IE is telling you when you try to search in a specific location for “Rick.Davis@” you might use an offset of zero.  Or three.  But neither of those is correct.  OpenSSL will show you that the offset is actually 73!  

It’s completely contrary to what you might expect because this is how the subject field is read by the NetScaler:
subject= /C=US/ST=Missouri/O=davis3.lab/OU=Access/CN=Rick.davis3.lab/emailAddress=Rick.Davis@davis3.lab

Proceedure

In order to accurately calculate the offset, you will need to use the openssl command.  Here’s how:

  1. Upload the client certificate to the NetScaler.
  2. Use OpenSSL to view the SUBJECT or ISSUER fields from the NetScalers CLI: 
> shell
cd /flash/nsconfig/ssl
openssl x509 -noout -in client.cer -subject
subject= /C=US/ST=Missouri/O=davis3.lab/OU=Access/CN=Rick.davis3.lab/emailAddress=Rick.Davis@davis3.lab

The fields use ordinal numbering, so the first “/” character is number zero.  Here’s the location map: 

/C=US/ST=Missouri/O=davis3.lab/OU=Access/CN=Rick.davis3.lab/emailAddress=Rick.Davis@davis3.lab
0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123
0         1         2         3         4         5         6         7         8         9

References

CTX116431 How to Create and Use Client Certificates on the NetScaler 

CLIENT.CERT
CLIENT.CERT.SUBJECT
CLIENT.CERT.ISSUER
CLIENT.CERT.SIGALGO
CLIENT.CERT.VERSION
CLIENT.CERT.VALIDFROM
CLIENT.CERT.VALIDTO
CLIENT.CERT.SERIALNUMBER
CLIENT.CIPHER.TYPE
CLIENT.CIPHER.BITS
CLIENT.SSL.VERSION