Forum Discussion

Gajji's avatar
Gajji
Icon for Cirrostratus rankCirrostratus
Mar 28, 2020

Client side and Server side SSL profile

If i apply same certificate for both the profiles (client and server), what is the use or advantage of same certificate?

  • Certificates on Client and Server SSL profiles have different purposes. On Client SSL profile, BIG-IP is the server so a certificate is applied for the purposes of authenticating BIG-IP to its clients and it’s sent in Server Hello message. You can also add a certificate bundle to Client SSL profile to make it authenticate clients, but this Certificate is used locally for the purpose of verifying if client certificate is valid.

     

    On Server SSL profile, BIG-IP is the client. In that case, you can add a certificate so that BIG-IP can send to back-end server to authenticate itself as a client. You can also add a certificate bundle to verify server’s certificate validity locally.

     

    Nevertheless, adding client and server ssl profiles to BIG-IP has the advantage of making traffic encrypted on both sides.

  • Its upto you. The default setting is NONE under server SSL. When you apply a Server SSL profile to VS, the BIG-IP system acts as an SSL client. If you dont intend for the BIG-IP system to present its client certificate on behalf of clients traversing the VS, choose None. If you expect the BIG-IP system to present a client certificate, then choose the appropriate certificate and a key from the list.  (Here certificates and its associated key should be imported on Big-IP system).

    • Ahmed_Galal's avatar
      Ahmed_Galal
      Icon for Cirrostratus rankCirrostratus

      its all depend on your infrastructure design, is F5 gateway for servers, is there is NGFW or any security appliance between F5 and servers, is this devices can handle SSL inspection or it will delay your traffic!!