Forum Discussion
Janez
Nimbostratus
NimbostratusClient use certificate to autenticate to Server
Hello,
I have question how properly configure Client SSL profile and Server SSL profile on virtual server that client can autenticate to server which is behind F5.
I want to implement ASM policy on Vitrual server and look into traffic.
Which certificare I must use and where in configuration of profile.
Thanks,
Janez Persin
I think you will need the Proxy SSL feature to achieve this. See:
https://support.f5.com/csp/article/K13385
https://devcentral.f5.com/s/articles/How-Proxy-SSL-works-on-BIG-IP
JanezHello,
Thanks for this but I don't now how I must configure Client SSL profile. Which certificat I must Use.
Thanks,
Janez
You can use whatever Client SSL profile you want, because when using Proxy SSL, this certificate is ignored:
- BIG-IP copies same Server SSL/Back-end Server certificate to Certificate message sent to Client on client-side
- BIG-IP completely ignores certificate you configured on Client SSL. It always uses the same server-side certificate.
You should import the servers certificate and key:
BIG-IP has an extra configuration requirement for Proxy SSL configuration (according to K13385) that you should add the same certificate/key present on the back-end server to Certificate/Key fields on Server SSL proxy of BIG-IP. This way BIG-IP can decrypt both client and server sides of connection.
- BIG-IP copies same Server SSL/Back-end Server certificate to Certificate message sent to Client on client-side
- Janez
Hello,
I understant the post but problem is that server use ECDHE ciphers and ciphers which use Perfect Forward Secrecy are not allowing such a decryption with SSL Proxy.
Stanislas_Piro2Cumulonimbus
The best solution is to enable C3D feature...
the bigIP have a CA signing client certificate with same properties as real client certificate.
this feature is available starting with version 13.1
- Stanislas_Piro2
