Certificates implementation in "SSL forward proxy client and server authentication" scenario.

I might be mistaken, but it sounds like you need reverse proxy services. Certificates are used by SSL profiles. Jason put together a good read on SSL profiles which you can find here:

https://devcentral.f5.com/articles/ssl-profiles-part-1.UyL53YXD-18

What kind of authentication will you need? If you are using client certificate based, then you'll need to look into using proxy SSL:

http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.html

I am trying to implement the scenario explained in the article: http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-3-0/14.html Under BIP-IP LTM version 11.3.0, File Management : SSL Certificate List, I created a certificate named "test.domain.com" which generated a file. I sent the file to our CA management team and they returned 2 files to me (certtest.cer and certtest.p7b). Then I imported it to BIG-IP and bound it to a client SSL profile. Then I had our CA team generated certificate file containing the backend server's certificate and key which I imported to the BIG-IP and bound it to a server SSL profile. I followed the procedure mentioned in the article, but I get an error connecting to site. Using Google Chrome browser, I get more explanation about the error: Error type: Malformed certificate Objet: backendserver.domain.com Issuer: test.domain.com

I am wandering how certificates should be implemented in such a scenario.

Best regards, Alain

You should be able to use the backend server certificate and key for both your client and server SSL profiles. I would think this would be desired behavior if you want the LTM to behave as if it's the web server, from the end user's perspective.

Try changing your SSL client profile to use the same certificate/key pair as the SSL server profile and see if this makes a difference.

I am not sure this make sense as I want to go to https://test.domain.com and there are 2 backend servers that are load balanced as backendserver1.domain.com and backendserver2.domain.com. Each of those servers has its own certificate. How can I assure client communications in this case?

My apologies, I was unaware you had multiple backend servers.

Are you certain that the certificate you imported and applied to your client SSL profile is properly formatted? It sounds like the certificate may be the problem in this case.

The client SSL profile is used to manage the SSL session between the client and the proxy. The server SSL profile is used to manage the SSL session between the proxy and the server. For client side SSL, you need at a minimum a server certificate and private key in this profile. This is the certificate that the server (F5) will present to the client during its SSL handshake. You can further configure client side mutual authentication here (client certificates), but it doesn't sound like you need to do that. For server side SSL, the proxy is actually the client in this SSL handshake, so there's usually very little you have to do here. In fact in most cases you can use the built-in serverssl profile with no modifications. The only time you'd add certificates and/or CA chains to this profile is if you're required to do explicit certificate validation and/or mutual authentication in this SSL handshake, which is rare.

To the subject of your question though, forward proxy SSL is something completely different. This is when the F5 is in forward proxy mode and you want to decrypt and re-encrypt outgoing SSL traffic. You're trying to access servers internal to your environment, so this is a reverse proxy.

I understand your point. However I am not sure on how to implement the procedure and it is exactly what I am looking for.

Based on your first response, I think you are on the right track. Just that client side certificate might be your issue. Can you replace it with a known good certificate/key pair and retest?

I had the certificate re-issued and I still have the same error. Error type: Malformed certificate Object: backendserver.domain.com (which is the server behind F5) Issuer: test.domain.com (which is the URL called by client PC) Is the procedure missing instructions? http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-3-0/14.html Or I must be missing something here. I am somewhat lost in all this.

Can you please post your virtual server and SSL client/server profile configurations?