Forum Discussion

Nimbostratus

Sep 03, 2013

2 way SSL implementation

Hi All, We are currently implementing 2-way SSL on our F5. Servers is using port 8011 and we need to encrypt only from client to F5. Now, we use self-signed certificate from F5 since the client ...

deployment

design

Kevin_Stewart

Employee

Sep 11, 2013

Yes, that's absolutely normal. There's two things going on:

You're using what appears to be the default client SSL certificate/key on the BIG-IP.
You're accessing the VIP with an IP address.

A browser will generally complain if:

The x509 subject of the certificate that is provided by the server in the SSL negotiation doesn't match what is requested (happens when you use an IP address to access the site)
The certificate provided by the server/VIP in the SSL negotiation is somehow invalid (expired, revoked, etc.)
The client cannot create an explicit trust chain from the server's certificate to the issuing CA certificate(s). These are the certificates in the browser's intermediate and trusted authority trust stores.

You'll eventually need to import a good cert/key pair to the BIG-IP and then modify the VIP's client SSL profile to use these.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)