Forum Discussion
MOHIT_125417
Altostratus
AltostratusHow to Implement 2 Way SSL in F5 LTM
Hi Experts,
I have been given a task to implement 2 WAY SSL for one of the VIP.
Please guide me how to proceed on this in detail.
Gicu_337843
Nimbostratus
NimbostratusI received only web site certificate and chain certificate for this task - 2 way ssl. chain certificate validates the origin of the certificate. the one way ssl was configured already. Explain me please step by step how to configure 2 way ssl for my VS ip:443 only. What must I do with website certificate and chain certificate? I have configured sslclient for my virtual server, but this client was created for one way ssl. I am not able to attache more ssl client profiles to my VS.
RaghavendraSYIf you want to configure server SSL certificate:
Go to local Traffic > Virtual server > Click on virtual server > go to configuration section > in server ssl profile >move serverssl-insecure-compatible from available to selected
If you want to configure client ssl certificate:
You need certificate and key along with chain certificate. Please confirm whether you have all 3 certificates?
- Gicu_337843
Mr, I want to configure 2 way ssl autenthication for my virtual server 10.0.0.10:443. Please explain by steps : 1. 2. n.
only how to configure 2 way ssl autenthication - not more
- Gicu_337843
I think you didn't understand me. I have a virtual server ex. 10.0.0.10. I have 2 sites on it. I configure one way ssl for my VS:created sslclient profile, added certificate, key, chain and bind it to my VS. Now I want to configure 2 way ssl for this VS, when we need the public certificate only. customer sent me a certificate and chain certificate - 2 files only. (we need only client authentication with certificate, where it is not required the Key, because we need to trust only the public certificate that client send to us the key (private key) remains always to the certificate owner, never exchange them) so we need to find a way to import them and tell to the our server to ask for the client certificate
Greetings,
The Client SSL profile has a Client Authentication section. The two important options are:- Client Certificate (ignore/request/require)
- Trusted Certificate Authorities (the CA that signs the client certificate)
Once these are in place (usually require is chosen), the BIG-IP system will verify that the client provided certificate has been signed by the SSL profile's associated Trusted Certificate Authority.
Hope this is helpful,
Kevin- Gicu_337843
Thank you, the second question: how to configure for the same VIP 1-way/2-way ssl, if it is possible. I have 2 sites on my virtual server.I want to have 1-way for the first site, 2-way for the second site...
Greetings, you are welcome. Are the sites using different domain names? If so, you can use the TLS Server Name Indication (SNI) feature described here:
K13452: Configuring a virtual server to serve multiple HTTPS sites using the TLS Server Name Indication feature
https://support.f5.com/csp/article/K13452
Hope this is helpful!
Kevin