Forum Discussion
Did Serverssl profile require certificate?
Hi
We want to use F5 as SSL bridging (Decrypt using ssl client profile and re-encrypt using serverssl profile)
Problem is our server using self-sign root certificate and certificate name is IP server (eg. 10.10.10.1 )
How do we config SSL server profile ?
Should we just choose None on certificate setting?
Should we import self-sign root certificate server using into BIG-IP? where to import?
Thank you
Kridsana
It is not a requirement. The default server-ssl profile works without certifcate checking.
Checking the backend certificate enhances the security. Import is done like any other certificates System -> Certificate Management -> Traffic Certificate Management
- kridsanaCirrocumulus
What if server using self-sign root certificate (eg. Internal-Root-Cert-only-we-have.crt)
Won't F5 have certificate error? because F5 didn't have that self-sign root cert.
Hi kridsana ,
you don't need a certificate or key in server side , it will be fine with you.
Let me explain some points.
Imagine you you are browsing a website such as { F5.com } , will you need to setup a specified F5 digital certificate to visit their site ? Actually no , you do not need that , and this common in all public websites.
So in the case of { SSL bridging } or adding server ssl , it's only you make Bigip to act as a client with the web application server/ pool member which locates behind your Bigip.
The Bigip in this Case do what you do when visiting any website.
even if the Server/pool member Certificates don't signed by Public CA , your Bigip will ignore this "trust" Challenge and proceed in ssl negotiations and establishing the needed secure connections between Bigip and the selected pool member.
This make sense because as a client you don't have to offer a digital certificate to any website , but you as a client waits to receive the "Web site digital Certificate " signed by a well known CA , after that you as a client verifies this Certificate and it's valid duration and signature , then you as a client starts to the Key exchange phase with web site servers ( maybe it is a Bigip or any firewall has the server certificate /public key ..... ).
Without going in-depth in ssl negotiations and connections , but your connections as a client similar to server side connections in case of ssl bridging , and you can achieve your requirements without adding extra certificates , I mean use the default ssl-server profile , it will not make issues with you.
I hope this helps you.- kridsanaCirrocumulus
Thank you for explanation. I now understand F5 doesn't need to import root self-sign certificate of server into F5.
Can I ask one more question?
What happen if server IP 10.10.10.10 but they have certificate name different (not 10.10.10.10) ? .... eg. CN is server hostname or have CN as ip 192.168.1.1
Will F5 still ignore trust certificate and everything still working fine?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com