For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Prasad4u's avatar
Prasad4u
Icon for Nimbostratus rankNimbostratus
Mar 14, 2024

In F5 LTM

  In F5 LTM how to configure VIP using SSL-Offloading as *.abc.com certificate where as end node is having *.noam.abc.net certificate
application delivery
F5_Design_Engineer's avatar
F5_Design_Engineer
Icon for MVP rankMVP
Mar 18, 2024

Hi Prasad4U,

 

Its SSL offloading, that mean , from F5 to backend /real server communication , it must be in plain text , no encryption or decryption after that, hence no need to apply any type of default server (side) profile. NO Server Side SSL profile for SSL offloading.

if you apply a client side as well as server side SSL profile it will be 

A SSL/TLS Wildcard certificate is a single certificate with a wildcard character (*) in the domain name field. This allows the certificate to secure multiple sub domain names (hosts) pertaining to the same base domain.

There are three supported methods for using a single virtual server to handle multiple host names:

Note: You cannot specify the second-level domain as a wildcard. Doing so creates a security risk, and any certificate requested is not be honored by a Certificate Authority (CA). Only the host name portion of the domain can be a wildcard.

For example, the following domain name is not valid:

*.*.net

 

Assuming all your sub-domains are first-level, you're good to go with the wildcard certificate. Just don't include any sub-domains (SANs) with your purchase requests, you really don't have to, and it might be the reason you received misleading information from them. Any first-level sub-domains will automatically be covered by the wildcard certificate.

 

With a wildcard certificate, your second-level sub-domains will not be covered (e.g. "https://mysecond.myfirst.maindomain.com"); neither will "https://maindomain.com" be covered.

 

I recommend reading the information here to learn more about wildcards & sub-domains: https://www.digicert.com/ssl-support/wildcard-san-names.htm

 

Once you are ready with wildcard cert and key,

 

You can use the following method to create a CLIENT SIDE SSL profile to be added in Virtual server later, for performing SSL offloading:

 

https://my.f5.com/manage/s/article/K14783

 

BIG-IP is built to handle SSL traffic in load balancing scenario and meet most of the security requirements effectively. The 3 common SSL configurations that can be set up on LTM device are:

  • SSL Offloading
  • SSL Passthrough
  • Full SSL Proxy / SSL Re-Encryption / SSL Bridging / SSL Terminations

 

HTH
✌️