Forum Discussion

RT's avatar
RT
Icon for Nimbostratus rankNimbostratus
Jun 11, 2019

Do ADFS Certs and F5 Certs Need to Be Upgraded Simultaneously

We have an F5 which load balances external traffic through our ADFS 2016 proxies, pointing to the default proxy URL, sts.'ourorg'.com. We need to replace the expiring ADFS certificates. Does the certificate upgrade need to happen simultaneously on both the ADFS servers and the F5 or if both have a valid certificate, whether the soon-to-expire or new, will communication still be secure? Thank you.

adfs
application delivery
BIG-IP
  • RT's avatar
    RT
    Icon for Nimbostratus rankNimbostratus
    Jun 11, 2019

    I found out we use pass-through so there is no need to update certificates on the F5. That makes life easier!

    • Dario_Garrido's avatar
      Dario_Garrido
      Icon for MVP rankMVP
      Jun 11, 2019

      That's invalidate the requirements of your initial question...

       

      But I'm glad you have solved it.

       

      KR,

      Dario.

  • Dario_Garrido's avatar
    Dario_Garrido
    Icon for MVP rankMVP
    Jun 11, 2019

    F5 works as a full-proxy infrastructure, having a client-side (connection between external clients and F5) and a server-side (connection between F5 and the backend server, where F5 takes a role of client).

     

    Taking this into account

    1) The Client SSL profile certificate must be upgraded, yes or yes (to avoid TLS errors during customer navigation)

    2) The Backend Certificate should be upgraded, but it could be unmodified (because you could modify your server SSL profile to not warn possible TLS errors)

     

    I encourage you to read this doc about server SSL profile

    https://support.f5.com/csp/article/K14806

    Sections:

    • Expire Certificate Response Control
    • Untrusted Certificate Response Control

     

    KR,

    Dario.