Forum Discussion
pass client cert for SSL
Hi!
I was asked if it is possible to create a SSL virtual server that would accept un-encrypted traffic and encrypt it (Reverse v4.x SSL Accelerator). The problem is the client application requires the use of SSL Client Certificates and this would require BIG-IP to present the certificate on behalf of the un-encrypted client. Is this possible?
Thanks.
Anthony
- Yes, this is merely what we call serverssl. Simply create an HTTP virtual (probably on port 80) and put the serverssl profile on it. Then create a pool with members on :443 and put the pool on the virtual. The serverssl profile will allow you to reference a cert file that will be used to connect to the back-end application.
- Hi!
Thank you for your quick response. I understand we can create a SSL Acceleration virtual where the client-side connection is un-encrypted and the server-side connection is encrypted (ServerSSL). The main part of my question is can we respond to a request for a client certificate on behalf of the un-encrypted client?
i.e. the server requests a client certificate, the un-encrypted client wouldn't have the certificate, so can we configure a BIG-IP to issue a client certificate on behalf of the un-encrypted client?
Thanks again.
Anthony - Yes, that is what the cert attribute is for on the serverssl profile. You need to put the filename of the client certificate there.
- One note on this. The native serverssl stack does not support client-side certificates. You will need to set your cipher string to ALL or to include !NATIVE to drop into compatability mode. Otherwise the LTM will just FIN the connection when the server asks for the client cert.
