Forum Discussion
2 way ssl facing pool member
hi experts,
just want to check, have anyone tried to enable 2 way ssl from which F5 is the client?
We know enabling the 2 way on the client ssl profile, this method F5 is the one authenticating client.
How about when it is facing the server? Server will enable 2 way ssl, F5 will be the client. Is this possible?
TIA
Hi TIA,
yes, this is possible. In my loadbalancing pool, I have two nginx servers with the following config:
# HTTPS virtual server server { listen 8443 ssl; server_name _; ssl_certificate /etc/ssl/certs/nginx.crt; ssl_certificate_key /etc/ssl/private/nginx.key; ssl_client_certificate /etc/ssl/certs/My_Domain_Issuing_CA.crt;
And in the Server SSL Profile I configured the following.
ltm profile server-ssl pr_serverssl_mtls { app-service none cert ffive01.mydomain.com defaults-from pr_serverssl key ffive01.mydomain.com }
The cert is issued by My_Domain_Issuing_CA. That's all it needs.
KR
Daniel
Hi TIA,
yes, this is possible. In my loadbalancing pool, I have two nginx servers with the following config:
# HTTPS virtual server server { listen 8443 ssl; server_name _; ssl_certificate /etc/ssl/certs/nginx.crt; ssl_certificate_key /etc/ssl/private/nginx.key; ssl_client_certificate /etc/ssl/certs/My_Domain_Issuing_CA.crt;
And in the Server SSL Profile I configured the following.
ltm profile server-ssl pr_serverssl_mtls { app-service none cert ffive01.mydomain.com defaults-from pr_serverssl key ffive01.mydomain.com }
The cert is issued by My_Domain_Issuing_CA. That's all it needs.
KR
Daniel
- f5mkuDefaultCirrus
thanks Daniel. This helps a lot!
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com