For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Muhammad_Irfan1's avatar
Muhammad_Irfan1
Icon for Cirrus rankCirrus
Nov 06, 2014

Client side certificate and server side certificate in HTTPS

I will offload HTTPS traffic on F5 from clients, F5 will decrypt it and encrypt it on the servers side and send it to Siebel web servers.

 

  1. TO my understanding i will create .CSR file and CA will provide me certificate which i will upload and add it to client side profile.

     

  2. Siebel web servers will generate .CSR file and CA will provide them certificate which they will put in there web servers and will give me which i will put in F5 server side profile.

     

Am i right? Another thing i am confused about it is that what should i put in Common Name and Subject alternative name. As they say we need to put FQDN in Common name. But FQDN of what? FQDN of F5 or Siebel webservers? But FQDN is false on web servers as well. Is FQDN means to which F5 virtual server ip is resolved in DNS?

 

6 Replies

  • shaggy's avatar
    shaggy
    Icon for Nimbostratus rankNimbostratus
    Nov 06, 2014

    item 2 - adding the cert/key to a server-ssl profile is not necessary unless the siebel servers are authenticating client certificates

     

    The common name should be the FQDN of the F5 virtual server IP resolved in DNS. Subject alternative names should be any additional hostnames that can/will be used to access the site (common example is a common name of www.abc.com with a SAN of abc.com)

     

    • Muhammad_Irfan1's avatar
      Muhammad_Irfan1
      Icon for Cirrus rankCirrus
      Nov 06, 2014
      yes siebel servers will authenticate client certificate and in this case F5 will be client for siebel servers right? ok on the client side profile the certificate will be created by F5 .CSR file or same certificate can work for both siebel servers and on client side.
    • shaggy's avatar
      shaggy
      Icon for Nimbostratus rankNimbostratus
      Nov 06, 2014
      specify a certificate/key in the server-ssl profile that the siebel servers trust. you should submit the CSR to have a certificate created by either a public or internal CA that users trust. The certificate referenced in the client-ssl profile will be what all end-users see.
  • shaggy_121467's avatar
    shaggy_121467
    Icon for Cumulonimbus rankCumulonimbus
    Nov 06, 2014

    item 2 - adding the cert/key to a server-ssl profile is not necessary unless the siebel servers are authenticating client certificates

     

    The common name should be the FQDN of the F5 virtual server IP resolved in DNS. Subject alternative names should be any additional hostnames that can/will be used to access the site (common example is a common name of www.abc.com with a SAN of abc.com)

     

    • Muhammad_Irfan1's avatar
      Muhammad_Irfan1
      Icon for Cirrus rankCirrus
      Nov 06, 2014
      yes siebel servers will authenticate client certificate and in this case F5 will be client for siebel servers right? ok on the client side profile the certificate will be created by F5 .CSR file or same certificate can work for both siebel servers and on client side.
    • shaggy_121467's avatar
      shaggy_121467
      Icon for Cumulonimbus rankCumulonimbus
      Nov 06, 2014
      specify a certificate/key in the server-ssl profile that the siebel servers trust. you should submit the CSR to have a certificate created by either a public or internal CA that users trust. The certificate referenced in the client-ssl profile will be what all end-users see.