Forum Discussion

Claes_16473's avatar
Claes_16473
Icon for Nimbostratus rankNimbostratus
Mar 29, 2010

BIG-IP SSL monitor with client certificate ?

Hi,     We are for the moment planning to load balance a number of new systems through the BIG-IP.     It will be overall https-traffic but the SSL-sessions are not going to be ...
management
monitoring
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Mar 29, 2010
Hi Claes,

 

 

Which LTM version are you running? I think the options for HTTPS monitors have changed slightly in recent versions.

 

 

1) After combining the certificate and key to a single file, is there really a possibility in the monitor configuration to specify a "fully qualified path" as the instruction says ? What I see for the moment in the certificate drop down list is only the names ca-bundle and default.

 

 

 

In 10.1, you'll need to import the client cert and key separately (or just copy them to /config/ssl/ssl.crt and /config/ssl/ssl.key respectively) and then select them in the GUI for the monitor.

 

 

2) If I will be able to specify the combined file in the certificate field, then I suppose that I should leave the client key field blank?

 

 

 

I don't think you can include them together in the same file. I think you must specify the cert and key separately in the monitor config.

 

 

3) I can order the certicate in PEM/base 64-format. Our CA authority would possibly require me to order the certificate with a passphrase for the key I suppose. Would that work for the monitor or do I have to get a certicate/key without a passphrase?

 

I can't see anywhere to configure a passphrase for a monitor.

 

 

 

It doesn't look like the HTTPS monitor supports a passphrase for a key. Even if the key was originally created with a passphrase, you can remove it using openssl on the LTM command line:

 

 

openssl rsa -in /config/ssl/ssl.key/client.encrypted.key -out /config/ssl/ssl.key/client.decrypted.key

 

 

4) I have requested to get the certificate/key to be used identically on both the BIG-IP's in the HA-pair, but the CA would prefer to have a unique certicate/key for each BIG-IP.

 

Would that work with the syncronization? I've told them that the syncronization will include the certication files and overwrite what's in the unit you are syncronizing against and that requires me to use only one combination of the certificate/key files for both machines. Am I right?

 

 

 

When you sync the config, the shared configuration, including SSL certs and keys, will be loaded on the peer. So you can only have one cert/key per pair of units. The CA might want you to pay for multiple certs/keys, but functionally it makes no difference.

 

 

Aaron