Forum Discussion

Tore_F_265730's avatar
Icon for Nimbostratus rankNimbostratus
Jun 24, 2018

F5 monitor with client certificate chain



I am attempting to set up a monitor with client certificate authentication and I can configure the monitor with the key/cert appropriately, but there does not seem to be a method for sending the full trust chain with the request like I can with a server profile.


Can I set up a monitor that sends the trust chain with the client certificate during SSL? If so, how can I do this? If you have a link to documentation, that would be great too.




2 Replies

  • You may be able to create your client auth certificate with the appropriate intermediate/root certificates appended. You will need to test this - I'm not sure if it will work.


    Alternatively, on version 13.1.0.x, you could enable In-TMM Monitoring


    K11323537: Configuring In-TMM monitoring


    This new feature allows TMM-based HTTPS monitors to use an existing server-SSL profile to establish SSL/TLS to a pool member.


    However - this comes with a caveat...


    Once you enable In-TMM monitors via the db variable, you will need to update all existing HTTPS monitors to use a suitable server-side ssl profile. There is no current migration process from bigd (OpenSSL-based) settings to TMM (F5 crypto) monitor settings, and unmodified HTTPS monitors will fail in the config due to an incompatible cipher string.




  • In addition to the reply of Simon_Blakely I want to add,  that with In-TMM monitoring the healthchecks will definitely be send through TMM interfaces only.

    Before it was possible, that a healthcheck went out through the MGMT interface in case there was a better route to the node.

    With In-TMM monitoring you now have the ability to use SNI (server name indication). Previous TMOS versions required using external monitors to get this done.