Forum Discussion

F599's avatar
F599
Icon for Nimbostratus rankNimbostratus
Feb 04, 2025

Problem with self-signed certificate

We have a self-signed certificate on a Back End server.
However, this certificate is not secure.
I need F5 to ignore the untrusted certificate and apply a certificate that I configured in the SSL profile.

 

I've done several tests, but without success.

  • Hi F599 

    If you need F5 to present the certificate you want to the client, you need to map certificate under client-ssl profile as client-ssl profile is responsible for managing SSL handshakes between client and the F5 vServer.

     

    If you have self-signed certificate on the server side then that should not be the problem. As it will be use for SSL handshake between F5 vServer and the backend server. This will be done based on the server-ssl profile.

    So basically, you need to properly configure client-ssl and server-ssl profiles to handle respective SSL transactions properly. Once both profiles are configured, map them on the desired vServer. 

     

    If you do not apply any SSL profile to the vServer, that will act as SSL passthrough on the F5. In this case, F5 will not handle SSL handshakes and client will receive certificate configured on the backend servers.

     

    Refer this for more details on it.

    Hope it helps!

     

  • have you put http, client side ssl profile and server side ssl profile into the vserver config?

    if backend's ssl cert is received by client, it seems you are currently on tcp load balancing.

  • f51's avatar
    f51
    Icon for Cirrocumulus rankCirrocumulus

    Hi F599,

     

    Try below steps.

    Here are a few steps you can follow to configure the F5 to ignore the untrusted self-signed certificate on the backend server and use the certificate you configured in the SSL profile:

    1. Create a Client SSL Profile: This profile is applied to the client side of the connection (i.e., between the client and the F5 load balancer).
      • Go to Local Traffic > Profiles > SSL > Client.
      • Click on "Create" and configure the profile with the certificate and key you want to use.
      • Make sure you select the appropriate certificate and key that you have uploaded to the F5.
    2. Create a Server SSL Profile: This profile is applied to the server side of the connection (i.e., between the F5 load balancer and the backend server).
      • Go to Local Traffic > Profiles > SSL > Server.
      • Click on "Create" and configure the profile.
      • In the "Server Authentication" section, set "Server Certificate" to "Ignore".
      • Ensure that "Chain" is set to "None" (unless you have a specific chain to validate).
      • Save the profile.
    3. Apply SSL Profiles to Virtual Server:
      • Go to Local Traffic > Virtual Servers.
      • Select the virtual server that is handling the traffic.
      • Under the "Resources" tab, click on "SSL Profile (Client)" and select the Client SSL profile you created.
      • Click on "SSL Profile (Server)" and select the Server SSL profile you created.
      • Save and apply the changes. 
    4. After applying these profiles, the F5 load balancer should terminate the SSL on the client side using the certificate you configured in the Client SSL profile, and then re-encrypt the traffic to the backend server while ignoring the untrusted self-signed certificate.
  • F599's avatar
    F599
    Icon for Nimbostratus rankNimbostratus

    Hello f51,

    I performed this procedure, but it didn't work.
    Yes, my VIP is using Protocol TCP.
    Another detail, when I change from Standard to Performance Layer 4 the site works, but with an insecure application certificate.

     

    F5 is not ignoring the self-signed certificate on the Back End server and is also not applying the certificate I configured.

    • f51's avatar
      f51
      Icon for Cirrocumulus rankCirrocumulus

      Is that Possible to post the logs? 

      Try below steps too.

      touch /config/ssl/empty-ca.crt

      tmsh modify ltm profile server-ssl my_server_ssl_profile ca-file /config/ssl/empty-ca.crt

      tmsh modify ltm profile server-ssl my_server_ssl_profile ca-file /config/ssl/empty-ca.crt

       

  • Hi F599 

    When you use Performance Layer 4 type Virtual server, SSL/TLS will be terminated on the backend server. In this case, F5 do not have any control on it. So, whatever certificate is available on the backend server, will be presented to the client. Same is happening in your case. And this is not an issue. It is as per the design and how packet is being handle.

     

    With Standard type of virtual server type, you can manage SSL configurations on the F5. 

     

    Check this article to understand how sessions get established with each type of virtual server.

    Overview of TCP connection setup for BIG-IP LTM virtual server types

     

    Could you please confirm below points?

     

    1. Did you map client-ssl profile and server-ssl profile to Standard type of virtual server?
    2. If yes, what is the behaviour with this setup? Is SSL handshake successful or is there any error?
    • F599's avatar
      F599
      Icon for Nimbostratus rankNimbostratus

      Hi, 

      In client-ssl we use our internal certificate.
      In server-ssl we create a profile to ignore the server's untrustworthy certificate.

      In this scenario, our certificate is not recognized and the website cannot be accessed.

      Error that the page could not be accessed.

      • three answers say it is possible and i agree. please provide more details on your exact configuration. 

         

        either some screenshots or CLI output of the configuration (remove or replace private information).