Forum Discussion
2-Way SSL Authentication with irules.
Comments inline.
1)The customer's SSL certificate is self-signed. From what I understand, this won't fly, and they must get a certificate with an intermediate cert bundle that can be installed on the F5. Correct?
The burden of trust here is on the client in this case, so you technically can use a self-signed server certificate, but NEVER a best practice.
2)All the modifications take place on the client profile. I need to set Client Authentication to request or require and specify the intermediate cert bundle in this section as well.
Correct. The Client Authentication option will set the VIP to request a client certificate (mutual PKI authentication). The settings dictate what happens if the user doesn't provide a certificate or if certificate validation fails. Request is a "fail open" and Require is a "fail closed". The Trusted Certificate Authorities option in a single or bundle of certificate authority (CA) certificates. This needs to be the complete chain of CAs up to and including the self-signed root CA.
3)Can I set a server ssl profile on the originating vip(VIP1). VIP2, doesn't have ssl traffic offloading enabled.
A server SSL profile is only needed if you need to re-encrypt to the server. It has no bearing on client side mutual authentication.
4)If I can't set a server ssl profile on VIP1, what happens to the default traffic will is going to the pool under VIP1?
It won't be encrypted.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com