Forum Discussion

Prasad4u's avatar
Icon for Nimbostratus rankNimbostratus
Mar 14, 2024



In F5 LTM how to configure VIP using SSL-Offloading as * certificate where as end node is having * certificate

2 Replies

  • put the *'s private key and public certificate in virtual server's client (side) profile.

    you can use the default server (side) profile.

    you can use f5 local traffic policy to change http host header to the,
    but it is better if the webserver is configured to accept
    usually it is not difficult to add accepted hostnames in webserver config.

  • Hi Prasad4U,


    Its SSL offloading, that mean , from F5 to backend /real server communication , it must be in plain text , no encryption or decryption after that, hence no need to apply any type of default server (side) profile. NO Server Side SSL profile for SSL offloading.

    if you apply a client side as well as server side SSL profile it will be 

    A SSL/TLS Wildcard certificate is a single certificate with a wildcard character (*) in the domain name field. This allows the certificate to secure multiple sub domain names (hosts) pertaining to the same base domain.

    There are three supported methods for using a single virtual server to handle multiple host names:

    Note: You cannot specify the second-level domain as a wildcard. Doing so creates a security risk, and any certificate requested is not be honored by a Certificate Authority (CA). Only the host name portion of the domain can be a wildcard.

    For example, the following domain name is not valid:



    Assuming all your sub-domains are first-level, you're good to go with the wildcard certificate. Just don't include any sub-domains (SANs) with your purchase requests, you really don't have to, and it might be the reason you received misleading information from them. Any first-level sub-domains will automatically be covered by the wildcard certificate.


    With a wildcard certificate, your second-level sub-domains will not be covered (e.g. ""); neither will "" be covered.


    I recommend reading the information here to learn more about wildcards & sub-domains:


    Once you are ready with wildcard cert and key,


    You can use the following method to create a CLIENT SIDE SSL profile to be added in Virtual server later, for performing SSL offloading:



    BIG-IP is built to handle SSL traffic in load balancing scenario and meet most of the security requirements effectively. The 3 common SSL configurations that can be set up on LTM device are:

    • SSL Offloading
    • SSL Passthrough
    • Full SSL Proxy / SSL Re-Encryption / SSL Bridging / SSL Terminations