Forum Discussion
Based on the example configuration, I am assuming you are providing the service which the SaaS server is connecting to and you have wired up the virtual server with a publicly signed certificate.
To answer your question,
Mutual authentication is essentially based on trust, in this scenario:
-
The certificate on the virtual server needs to be trusted by the Saas server. As this is a publicly signed certificate, that should be pretty straight forward.
-
The certificate that the Saas server presents needs to be trusted by the virtual server. It is your choice which trusted CAs these certificates are issued from.
For greater control, these should be issued by your internal PKI. You could also trust third-party CAs that issue certificates on your behalf.
Do take note that any CAs you choose, needs to have its CRL available and imported to the F5 if you have the requirement of revocation checking.
When I first looked at the diagram I thought the internal server would initiate the connection towards the SAAS provider. In that case serverssl and clientssl need to be inversed. If the flow is from SAAS towards internal server as you assumed than it is correct. Some notes on the question if the answer provided was not clear enough :
"Does the CA reference the certificate and key chosen above?" The certfificate and key you configured are not used in authenticating the SAAS provider - so no, it does not. The certificate you configured under clientssl is presented to SAAS when they connect to your virtual server. It is signed with your private key and if the certificate was issued by a trusted CA the SAAS should have no issues accepting it.
"does the SaaS provider also have to have my cert and key on the other end for this to work" NO. When they connect to your virtual server you do reply with the certificate. And very important the key on the F5 is your private key. It should never, never leave the F5 :-)!!! If anybody gets a hold of it they can sign communication as if coming from you.