Forum Discussion

kridsana's avatar
kridsana
Icon for Cirrocumulus rankCirrocumulus
Mar 03, 2023

Did Serverssl profile require certificate?

Hi

We want to use F5 as SSL bridging (Decrypt using ssl client profile and re-encrypt using serverssl profile)

Problem is our server using self-sign root certificate and certificate name is IP server (eg. 10.10.10.1 )

How do we config SSL server profile ?

Should we just choose None on certificate setting?

Should we import self-sign root certificate server using into BIG-IP? where to import?

Thank you
Kridsana

 

  • It is not a requirement. The default server-ssl profile works without certifcate checking.

    Checking the backend certificate enhances the security. Import is done like any other certificates System -> Certificate Management -> Traffic Certificate Management

    • kridsana's avatar
      kridsana
      Icon for Cirrocumulus rankCirrocumulus

      What if server using self-sign root certificate (eg. Internal-Root-Cert-only-we-have.crt)

      Won't F5 have certificate error? because F5 didn't have that self-sign root cert.

       

  • Hi kridsana , 
    you don't need a certificate or key in server side , it will be fine with you. 
    Let me explain some points. 

    Imagine you you are browsing a website such as { F5.com } , will you need to setup a specified F5 digital certificate to visit their site ? Actually no , you do not need that , and this common in all public websites. 

    So in the case of { SSL bridging } or adding server ssl , it's only you make Bigip to act as a client with the web application server/ pool member which locates behind your Bigip. 

    The Bigip in this Case do what you do when visiting any website. 

    even if the Server/pool member Certificates don't signed by Public CA , your Bigip will ignore this "trust" Challenge and proceed in ssl negotiations and establishing the needed secure connections between Bigip and the selected pool member. 

    This make sense because as a client you don't have to offer a digital certificate to any website , but you as a client waits to receive the "Web site digital Certificate " signed by a well known CA , after that you as a client verifies this Certificate and it's valid duration and signature , then you as a client starts to the Key exchange phase with web site servers ( maybe it is a Bigip or any firewall has the server certificate /public key ..... ). 

    Without going in-depth in ssl negotiations and connections , but your connections as a client similar to server side connections in case of ssl bridging , and you can achieve your requirements without adding extra certificates , I mean use the default ssl-server profile , it will not make issues with you.

    I hope this helps you.

    • kridsana's avatar
      kridsana
      Icon for Cirrocumulus rankCirrocumulus

      Hi Mohamed_Ahmed_Kansoh 

      Thank you for explanation. I now understand F5 doesn't need to import root self-sign certificate of server into F5.

      Can I ask one more question?

      What happen if server IP 10.10.10.10 but they have certificate name different (not 10.10.10.10) ?  .... eg. CN is server hostname or have CN as ip 192.168.1.1 

      Will F5 still ignore trust certificate and everything still working fine?