Forum Discussion

14 Replies

  • I received only web site certificate and chain certificate for this task - 2 way ssl. chain certificate validates the origin of the certificate. the one way ssl was configured already. Explain me please step by step how to configure 2 way ssl for my VS ip:443 only. What must I do with website certificate and chain certificate? I have configured sslclient for my virtual server, but this client was created for one way ssl. I am not able to attache more ssl client profiles to my VS.


    • Kevin_K_51432's avatar
      Historic F5 Account

      Greetings, you are welcome. Are the sites using different domain names? If so, you can use the TLS Server Name Indication (SNI) feature described here:


      K13452: Configuring a virtual server to serve multiple HTTPS sites using the TLS Server Name Indication feature



      Hope this is helpful!




    • Gicu_337843's avatar
      Icon for Nimbostratus rankNimbostratus

      Thank you, the second question: how to configure for the same VIP 1-way/2-way ssl, if it is possible. I have 2 sites on my virtual server.I want to have 1-way for the first site, 2-way for the second site...


    • Kevin_K_51432's avatar
      Historic F5 Account



      The Client SSL profile has a Client Authentication section. The two important options are:


      • Client Certificate (ignore/request/require)
      • Trusted Certificate Authorities (the CA that signs the client certificate)

      Once these are in place (usually require is chosen), the BIG-IP system will verify that the client provided certificate has been signed by the SSL profile's associated Trusted Certificate Authority.


      Hope this is helpful,




  • Generate CSR: Login to F5 active device 


    Go to System ›› File Management : SSL Certificate List Click create button and update the details as mentioned below Note: In common name you need to mention FQDN name. If it is not a wildcard certificate then you need to mention as FQDN name. If it is wild card mention * before FQDN. Always select key size as 2048.


    B. Download the CSR file and send to vendor


    C. Vendor will provide following certificates.


    Website certificate --This one you need to import . AddTrustExternalCARoot . UserTrustSAAddtrustCA . Trusted Secure Certificate Authority


    D. Now import the certs as mentioned below. System ›› File Management : SSL Certificate List ›› Import


    E.Key import details are mentioned below. System ›› File Management : SSL Certificate List ›› Import


    Both Cert and key should be same name


    Once cert, key and intermediate certs are imported we need to create SSL client profile


    F.Configure new SSL certs under Client profile


    Create a new profile as mentioned below


    Go to Local Traffic ›› Profiles : SSL : Client In Certificate, key and chain select the files which you created Then click Add Once certificate key chain is update, click finished


    Most of the times you need to update intermedaite certificate. Then you need to bundle certificates other than website certificate and import and call in SSL client profile chain section.


    For Server SSL just assign default existing profile (serverssl-insecure-compatible)


  • How to configure those profiles client and server, I have 2 certificates and the chain certificate. Thanks. I am new in F5 Big IP. (((


  • Hi,


    Client ---- > F5 ---> Server


    Client to F5 --Use client SSL profile F5 to server --use Server SSL profile


    Please let me know if any more information is required.


  • Hi Piotr, your answer not work for me. I have configured for my server one way ssl, now I want to configure 2 way ssl autenthication for it. Thank you.


  • Hi,


    Do you mean client authentication via certificate? If so it's quite easy. You have of course terminate SSL on VS using clientssl profile. In the profile you have part named Client Authentication. Actually what you need to populate Trusted Certificate Authorities (with certificates or certificate chains that can validate client certificate send during ssl handshake). To enable just set Client Certificate to require. If you search AskF5 there are at least few articles with more details.