For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

KenJ_50171's avatar
KenJ_50171
Icon for Nimbostratus rankNimbostratus
Jul 21, 2009

certificate for serverssl

I'm grappling with what it means to have a certificate for a "serverssl" profile, between the F5 Big-IP LTM and the back-end server. (I have a paranoid application owner who wants to do this, and it's a low-traffic service so bandwidth and CPU are not an issue.)

 

 

What should the Common Name be for a serverssl certificate? Does it even matter? Outside of a browser-type environment, what checking is going to be done?

 

 

Thanks as always for your thoughts.

 

 

(Does the cert need to be accessed for Health Monitor checks? If so, then I need to apply it to three IP addresses: the hardware addresses of each of my High Availability units, and the floating address which actually handles user traffic. I think...)
config
design

4 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jul 21, 2009
    For server side SSL, LTM will be acting as a client. So the app owner should generate a client cert from his server certificate. You can then install it on LTM. As you guessed, you should configure it for the server SSL profile and for an HTTPS monitor. The health monitor just needs to be assigned to the pool member(s) which you want to monitor--you shouldn't need to configure which LTM self IP addresses use the cert. The requests will be made from each unit's static self IP address to the pool members.

     

     

    I think the server SSL profile can be configured to validate the CN of the server cert. I don't have a box in front of me to double check this. But you should be able to read the LTM config guide for your version or the online help for details.

     

     

    Aaron
  • dennypayne's avatar
    dennypayne
    Icon for Employee rankEmployee
    Jul 21, 2009
    As you surmised though, no checking is normally done on the serverside cert. I have used the default self-signed cert in the serverside profile and it works fine.

     

     

    Denny
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jul 21, 2009
    Sorry, maybe I misinterpreted what the poster was trying to do.

     

     

    "I have a paranoid application owner who wants to do this, and it's a low-traffic service so bandwidth and CPU are not an issue."

     

     

    Ken, did you mean you wanted to use client/server certs for the server side connection or just server SSL without a client cert on LTM? If the latter, as Denny says, you can just use the default server SSL profile. LTM won't send a client cert and won't do any checking of the server's certificate. If you want/need to, you could configure the Trusted Certificate Authorities, Chain and Server Certificate to validate the client cert. All you would be doing though is ensuring LTM and the server are only connecting to each other--you wouldn't be checking anything to do with the clientside certificates/identity.

     

     

    Aaron