F5 Big-IP Trust Internal CA Chain certificates for Web Servers

Question

Great day F5 Friends,Currently, we use a wildcard certificate on all of our web servers which requires us to replace it when the certificate is expired. The Big-IP isn't configured to "only" trust this certificate on these servers which is less secure.&nbsp;&nbsp;Where I would like assistance in is how to configure my Big-IP's to trust only our internal CA for those pools.&nbsp; *NOTE: &nbsp;I will configure GPO to auto-enroll the web servers for SSL certs and bind to IIS.Is it as simple as uploading the Chain cert to the Big-IP and then create a server ssl profile pointing to that Chain cert and adding the profile to the VS?&nbsp;&nbsp;Thanks for your time and energy in this.&nbsp;&nbsp;Sincerely,Paul Courtois

injeyan_kostas · Answer

Hello,&nbsp;Indeed it's as simple as creating a new server SSL profile and assign it to VS.You will need to set server certificate to require under server authentication and select the appropriate trusted CA. You have to upload the CA chain beforehand.Check this https://my.f5.com/manage/s/article/K14806#subsect3

pcourtois · Answer

Good day my friend.&nbsp; Awesome!&nbsp; Thank you.&nbsp; I'll try this in my dev environment and update asap.&nbsp; Much appreciated. &nbsp;👊

pcourtois · Answer

Copy that.&nbsp; You ROCK!&nbsp; Thank you.&nbsp; I'll give this a try and update.&nbsp;&nbsp;

injeyan_kostas · Answer

You mean you applied 2 server SSL profiles?Can you use only the new one? If no you need to let VS know which one to use in each request.

injeyan_kostas · Answer

Happy Friday to yoo too pcourtois​&nbsp;irule is you friend in this casecheck this https://my.f5.com/manage/s/article/K13452when HTTP_REQUEST {
    set hostname [getfield [HTTP::host] ":" 1]
}
when SERVER_CONNECTED {
    switch -glob [string tolower $hostname] {
      "sitea.com" {
          SSL::profile serverssl-siteA
      }
      "siteb.com" {
          SSL::profile serverssl-siteB
      }
      default {
        #default serversssl profile to be selected if Host header value cannot be matched with predefined values
        SSL::profile serverssl
      }
    }
}&nbsp;

Forum Discussion

F5 Big-IP Trust Internal CA Chain certificates for Web Servers

8 Replies

F5 Academy at AppWorld 2026

Aswin MK - November 2025 Featured Member

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Could not communicate with the system. Try to reload page.

CVE mitigation on F5 XC vs classic F5 WAF

F5 XC 503 upstream_reset_before_response_started{protocol_error}

UCS Encryption Question

BIG-IP VE: 40G Throughput from 4x10G physical NICs

Related Content

Automating Certificate Management on F5 BIG-IP

Automating ACMEv2 Certificate Management on BIG-IP

2 internal server vlans

Understanding Server SSL Trusted Certificate Authorities on BIG-IP

Automate Let's Encrypt Certificates on BIG-IP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS