Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Prasad4u's avatar
Prasad4u
Icon for Nimbostratus rankNimbostratus
Mar 14, 2024

In F5 LTM

  In F5 LTM how to configure VIP using SSL-Offloading as *.abc.com certificate where as end node is having *.noam.abc.net certificate
application delivery
F5_Design_Engineer's avatar
F5_Design_Engineer
Icon for MVP rankMVP
Mar 17, 2024

Hi Prasad4U,

 

Its SSL offloading, that mean , from F5 to backend /real server communication , it must be in plain text , no encryption or decryption after that, hence no need to apply any type of default server (side) profile. NO Server Side SSL profile for SSL offloading.

if you apply a client side as well as server side SSL profile it will be 

A SSL/TLS Wildcard certificate is a single certificate with a wildcard character (*) in the domain name field. This allows the certificate to secure multiple sub domain names (hosts) pertaining to the same base domain.

There are three supported methods for using a single virtual server to handle multiple host names:

Note: You cannot specify the second-level domain as a wildcard. Doing so creates a security risk, and any certificate requested is not be honored by a Certificate Authority (CA). Only the host name portion of the domain can be a wildcard.

For example, the following domain name is not valid:

*.*.net

 

Assuming all your sub-domains are first-level, you're good to go with the wildcard certificate. Just don't include any sub-domains (SANs) with your purchase requests, you really don't have to, and it might be the reason you received misleading information from them. Any first-level sub-domains will automatically be covered by the wildcard certificate.

 

With a wildcard certificate, your second-level sub-domains will not be covered (e.g. "https://mysecond.myfirst.maindomain.com"); neither will "https://maindomain.com" be covered.

 

I recommend reading the information here to learn more about wildcards & sub-domains: https://www.digicert.com/ssl-support/wildcard-san-names.htm

 

Once you are ready with wildcard cert and key,

 

You can use the following method to create a CLIENT SIDE SSL profile to be added in Virtual server later, for performing SSL offloading:

 

https://my.f5.com/manage/s/article/K14783

 

BIG-IP is built to handle SSL traffic in load balancing scenario and meet most of the security requirements effectively. The 3 common SSL configurations that can be set up on LTM device are:

  • SSL Offloading
  • SSL Passthrough
  • Full SSL Proxy / SSL Re-Encryption / SSL Bridging / SSL Terminations

 

HTH
✌️