Forum Discussion
Cirrus2 way ssl facing pool member
hi experts,
just want to check, have anyone tried to enable 2 way ssl from which F5 is the client?
We know enabling the 2 way on the client ssl profile, this method F5 is the one authenticating client.
How about when it is facing the server? Server will enable 2 way ssl, F5 will be the client. Is this possible?
TIA
Hi TIA,
yes, this is possible. In my loadbalancing pool, I have two nginx servers with the following config:
# HTTPS virtual server server { listen 8443 ssl; server_name _; ssl_certificate /etc/ssl/certs/nginx.crt; ssl_certificate_key /etc/ssl/private/nginx.key; ssl_client_certificate /etc/ssl/certs/My_Domain_Issuing_CA.crt;And in the Server SSL Profile I configured the following.
ltm profile server-ssl pr_serverssl_mtls { app-service none cert ffive01.mydomain.com defaults-from pr_serverssl key ffive01.mydomain.com }The cert is issued by My_Domain_Issuing_CA. That's all it needs.
KR
Daniel
2 Replies
- Daniel_Wolf
MVP
Hi TIA,
yes, this is possible. In my loadbalancing pool, I have two nginx servers with the following config:
# HTTPS virtual server server { listen 8443 ssl; server_name _; ssl_certificate /etc/ssl/certs/nginx.crt; ssl_certificate_key /etc/ssl/private/nginx.key; ssl_client_certificate /etc/ssl/certs/My_Domain_Issuing_CA.crt;And in the Server SSL Profile I configured the following.
ltm profile server-ssl pr_serverssl_mtls { app-service none cert ffive01.mydomain.com defaults-from pr_serverssl key ffive01.mydomain.com }The cert is issued by My_Domain_Issuing_CA. That's all it needs.
KR
Daniel
f5mkuDefaultthanks Daniel. This helps a lot!
