Forum Discussion
Based on the example configuration, I am assuming you are providing the service which the SaaS server is connecting to and you have wired up the virtual server with a publicly signed certificate.
To answer your question,
Mutual authentication is essentially based on trust, in this scenario:
-
The certificate on the virtual server needs to be trusted by the Saas server. As this is a publicly signed certificate, that should be pretty straight forward.
-
The certificate that the Saas server presents needs to be trusted by the virtual server. It is your choice which trusted CAs these certificates are issued from.
For greater control, these should be issued by your internal PKI. You could also trust third-party CAs that issue certificates on your behalf.
Do take note that any CAs you choose, needs to have its CRL available and imported to the F5 if you have the requirement of revocation checking.
So then, does the SaaS provide their certificate and public key to me and I import them into my F5 SSL certificate list? How does the F5 validate that they are the only public host to access this connection?