client authentication certificate

Question

Hello Team,&nbsp;
We have one application running on two IIS server with client certificate authentication. Could you please help me to loadbalance this and what modification required on client ssl profile.&nbsp;

kevin_stewart · Answer

Mike, you cannot terminate the SSL between the client and server if the server requires a client certificate. The client must digitally sign a piece of information and send that to the server during the handshake. A digital signore uses the sender's private key to encrypt, so if you decrypt and attempt to re-encrypt at a proxy, the proxy wouldn't have access to the client's private key.&nbsp;
At a minimum, you'd have to switch into layer 4 load balancing mode, with no client or server SSL profiles, and nothing more than source address for persistence.&nbsp;
You could optionally move the certificate authentication to the F5 with the Access Policy Manager module, and perform some other type of authentication to the backend web servers.&nbsp;

Forum Discussion

client authentication certificate

1 Reply

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

VIP in https that redirect to another vip in https

UCS Encryption Question

BIG-IP VE: 40G Throughput from 4x10G physical NICs

F5 XC 503 upstream_reset_before_response_started{protocol_error}

VIP is not responding on SYN after enabling other modules like ASM, APM and AFM.

Related Content

BIG-IQ Client Certificate (PKI) Authentication

SSL Profiles Part 8: Client Authentication

Automating Certificate Management on F5 BIG-IP

APM Clientless certificate authentication

Client Authentication with certificate on one URI only

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS