Forum Discussion
Pregunton
Mist
MistRedirect https to https virtual server Certificate question
Hi,
i have to redirect a https request to a https virtual server , i have in mind to use an irule as follows:
when HTTP_REQUEST {
set url [HTTP::uri]
if {[regexp {"STRING"} $url]} {
virtual /Common/MyVirtual
}
}
To do so , i have to set the HTTP profile (client) to http to be able to assing the corresponding Irule to the VS, but requests doesnt work as i have to select the SSL Profile , here the problem.
i created a new SSL client profile and tried to set the Certificate Key chain, but doesnt work ( i think i did it wrong)
The source https request is using a certificate, that i can see already stored at the F5 , inside file ca-bundle.crt , also from the source server i was able to get the certificate and tried to create a new certificate , but doesnt work , i think i'm missing the key or something.
When creating the certificate it's mandatory to generate it as Certificate Authority? or it can be self?
Note: i'm not very good at certificates with F5 , i know how to create irules, manage the F5 and so on .. but i'm lost with the certificates part.
Thanks in advance.
- Mayur_Sutare
MVP
When you configure Client SSL profile so, you are enabling F5 vServer to handle all the SSL/TLS transactions between the client and the vServer. Besically, you are decrypting the traffic on the vServer. When you configure client SSL profile, you need to have the certificate and its associated private key file which needs to be uploaded on the F5. Once those files are uploaded, you need to map it under the client SSL profile that will be mapped to F5 vServer.
Ideally for internet facing URLs/applications, you need to have CA signed certificates to be uploaded on the F5. So client will not get any error/warnings related to untrust/expired certificates.
Now if you are testing the traffic internally, you can use self-signed certificates under client SSL profile. Basically whatever certificate is configured under client SSL profile, that certificate will be presented to the clients.
Basic requirement for the client SSL profile is the certificate and associated private key file. With other default settings, it works well.
As you go further in depth, you have more options to customize configuration like Custom ciphers suits, mTLS, etc.
If you want to learn more about F5 Client SSL profiles, refer this .
For now, with just certificates and private key, you should be fine.
Can you confirm what error are you getting while accessing vServer or URL configured on F5?
Are you getting any certificate warnings?
Preguntonhi,
i can see the following error:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (root cause SunCertPathBuilderException: unable to find valid certification path to requested target)
thanks
