SSL Client Certificate Authentication on a Load Balancing Vserver has 2 options: Optional and Mandatory.

In some scenarios, setting the Client Authentication to Optional is not sufficient as there are certain pages which may require Client Certificate Authentication. A user can avoid presenting the certificate with the Optional setting and allow them to bypass the SSL check while accessing the Load Balanced resource.

In such cases, Content Swtich Vserver can be levereged to enable Client Certificate Authentication to force Client Authentication for a particular page and bypass it for others based on the request URL.

The steps below will meet the following requirement :
If the HTTP Request URL contains /login, perform SSL client Certificate authentication and OCSP check.
If the HTTP Request URL doesn’t contain /login, bypass SSL Client Certificate auth and OCSP Check

---

Instructions

Inorder to achieve this requirement, we need to have the configuration in place as mentioned below :

=> Create Two Non-Addressable Load Balancing Vservers A, B

=> Create a content switching virtual server and two CS-policies with expressions as mentioned below, after which you need to bind each policy to the content switching virtual server. When binding the policy to the content switching virtual server, you specify the target load balancing virtual server A, B accordingly. : 
Target LB Vserver (A) --> Client auth enabled (CS Policy expression :HTTP.REQ.URL.CONTAINS(/login))
Target LB Vserver (B) --> Client auth disabled (CS Policy expression :HTTP.REQ.URL.CONTAINS(/login).NOT)

Content Switch vserver configuration to enable Client Authentication selectively:

=> An SSL Policy and Action enabling Client Authentication and setting 'Client Certificate Verification' to MANDATORY. This will be applicable only for users connecting to Target LB (A) based on policy expression.

example : add ssl action SSL_Action_Target_LB_A -clientAuth DOCLIENTAUTH -clientCertVerification Mandatory 
add ssl policy SSL_Policy_Target_LB_A -rule "HTTP.REQ.URL.CONTAINS(\"/login\")" -action SSL_Action_Target_LB_A 

Above example will perform SSL Client Certificate Authentication when HTTP request URL contains "/login".

Bind this policy to the CS Vserver.

Bind the CA certificates that will be used to verify the Client Certificate Chain on the CS Vserver.

Create an SSL Profile to enable SSL renegotiation, and enable ClientAuthUseBoundCAChain flag. The option to enforce the Client Certificate chain bound on the CS Vserver

example : add ssl profile cs_ssl_prof -sessReuse DISABLED -tls1 DISABLED -denySSLReneg NONSECURE -clientAuthUseBoundCAChain ENABLED

=> Additionally, OCSP can be enabled to verify the certificates against and OCSP responder.
Configuring OCSP involves adding an OCSP responder, binding the OCSP responder to a certification authority (CA) certificate.

Commands :
add ssl ocspResponder <name> -url <URL> [-cache ( ENABLED | DISABLED )[-cacheTimeout <positive_integer>]] [ -batchingDepth <positive_integer>][-batchingDelay <positive_integer>] [-resptimeout <positive_integer>] [-responderCert <string> | -trustResponder] [-producedAtTimeSkew <positive_integer>][-signingCert <string>][-useNonce ( YES | NO )][ -insertClientCert( YES | NO )]

bind ssl certKey [<certkeyName>] [-ocspResponder <string>] [-priority <positive_integer>]

=> The CA Certificate must be bound with OCSP Check as Mandatory.

command : bind ssl vserver <vServerName>@ (-certkeyName <string> ( CA [-ocspCheck ( Mandatory | Optional )]))
example : bind ssl vserver "Content Switch vserver" -certkeyName ClientCARoot -CA -ocspCheck Mandatory


Note : Any SSL setting must be configured on the Content Switching Vserver only, As SSL offload takes place on the CS vserver. The Target LB behind CS vserver will be used to perform LoadBalancing and SSL settings are applied as per the configurations on the CS Vserver.

https://docs.citrix.com/en-us/citrix-adc/13/ssl/monitor-cert-status-with-ocsp.html
https://docs.citrix.com/en-us/netscaler-gateway/12/install/certificate-management/certificate-revocation-lists/ng-certificates-crl-oscp-configure-tsk.html
https://docs.citrix.com/en-us/netscaler/12/content-switching/basic-configuration/bind-policies.html