For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Thiago_Morais's avatar
Thiago_Morais
Icon for Altostratus rankAltostratus
Jan 12, 2021

Multiple SSL certificates in the Server Side

I need help to configure a VS based on the following scenario.   1) Each node has a self-assigned certificate based on FQDN (server's hostname) 2) The service is active in one node 3) The other...
application delivery
BIG-IP
LTM
Stefan_Klotz's avatar
Stefan_Klotz
Icon for Cumulonimbus rankCumulonimbus
Jan 13, 2021

Hi Thiago,

in the serverside context the F5 acts as the client and doesn't interest on the validation of the server certificate (name, issuer, date). So you should be fine to simply use the parent serverSSL profile. Only on the clientside you have to use a specific clientSSL profile with an officially signed certificate matching the name of the DNS from your VS.

And regarding the "failover" of the poolmembers I see two options:

  • Only the active member reacts successful on the health-check, so just this member becomes green and gets traffic. In case of an issue with the primary member, the second one becomes active and its monitor gets green.
  • All members react successfully on the health-check, so you need to work with priority groups and must define the same order of the other members (in case there are more than two) as the "failover" within the application would do (if this is hopefully not a dynamic algorithm).

 

Ciao Stefan :)