Forum Discussion

Jason_Peery_467's avatar
Icon for Nimbostratus rankNimbostratus
Mar 27, 2012

Newbie and Certs

So I realize I don't know as much as I thought I did about how certs work, or how they work with F5, and am hitting a point of frustration beyond which I don't know how to deal with, so I was wondering if anyone could point me to a good book, or some resource I can check out that would help me understand all this? I'm really at a loss how BigIP deals with certs, creating them, keys, and combining, etc. Everything I try to do on the BigIP errors with some cryptic message I don't understand, and then I get stuck on some red-herring trail of web searches to try to figure it out. You get the point, I've got my boss on my back to do stuff I am not even sure the F5 can do, but I need to get past this whole cert deal first. Basically, I am trying to use a wildcard cert from a CA on the client side, then use a self-signed cert on the server/back-end side. The documentation is lacking at best, and there's nothing I've been able to find that deals with errors, and how to resolve the weird stuff BigIP tells me. Essentially we want all our traffic to go through the BigIP, then according to the subdomain let the BigIP funnel the traffic to the appropriate application resource.



I'm really trying to not be biased and upset with this product, I think it will do what we want, I just need to get up to speed on my understanding and was wondering what other newbie folks have done to figure this bugger out? Isn't there a "Certs for Dummies" book out there?? :)




Thanks in advance!







2 Replies

  • Hi Jason,

    For general SSL PKI architecture you could try some of these links:

    Sorry it's been frustrating for you. If you already have a wildcard cert and key for a subdomain like *, you should be able import it via the GUI under Local Traffic | SSL certificates. Also import just the root cert you used to generate the wildcard server cert/key. Then create a client SSL profile referencing the wildcard server cert and key and the root cert. Create an HTTP pool with any HTTP server that LTM can reach. Test this to make sure the clientside SSL piece is working.

    Once you have that working, create an HTTPS pool for each set of the actual servers you want to load balance to. These pools should probably be specific to the subdomain the client requests for the web application those servers serve content for. Add a server SSL profile to the virtual server to that LTM will re-encrypt the serverside traffic. Add just one of the HTTPS pools to the virtual server. Test to make sure that requests for that specific subdomain work to that pool.

    Once you have that working, create an iRule like the following:

    when HTTP_REQUEST {
     Select an HTTPS pool based on the subdomain the client requests
     Save the HTTP host set to lowercase
    set host [string tolower [HTTP::host]]
     Check if this is a subdomain
    if { $host ends_with ""}{
     Check the subdomain
    switch [getfield $host . 1] {
    www {
     host header is
    pool www_pool
    app1 {
     host header is
    pool app1_pool
    app2 {
     host header is
    pool app2_pool
    app3 -
    app4 -
    app5 {
     host header is app3, app4 or
    pool app3_pool
    default {
     host header is something else
    pool default_pool

    If you get stuck with this either reply here or email me (aaron at f5 dot com) and I'll see if I can help.

  • Sweet, thanks! I'll check it out, think this is exactly what I was looking for. I know I didn't pull the root cert into the wildcard, so that may be what's messing things up. Will try to work it through tomorrow morning - thanks again!