Forum Discussion
boommen_197293
Nimbostratus
NimbostratusRegarding client and server side offloading
Hey all,
Here's the configuration I need to get working:
WebPortal{443} (not on load balancer) -> VS{443} -> nodes{443}
due to client requirements, the nodes must serve up content on 443. I would like the load balancer to handle SSL offloading, so i have a standard VS setup with client and server side SSL profiles. I am confused on the server side offloading portion.
Let's say my VS would be devsite.com. I would generate a client side cert with a CN of devsite.com, but when generating the server side CSR, does the CN need to match that, or can it be named anything i choose? What also throws me off is that the node itself will have a cert, but based on my config above, does that cert go unused?
Hope this makes sense, and thanks for your help
but when generating the server side CSR, does the CN need to match that, or can it be named anything i choose?
certificate/key in serverssl profile is used when pool member does client certificate authentication (bigip acts as client to pool member). in short, you should not need it and can set certificate/key to none.
sol14806: Overview of the Server SSL profile (11.x)
https://support.f5.com/kb/en-us/solutions/public/14000/800/sol14806.html
nitass_89166Noctilucent
but when generating the server side CSR, does the CN need to match that, or can it be named anything i choose?
certificate/key in serverssl profile is used when pool member does client certificate authentication (bigip acts as client to pool member). in short, you should not need it and can set certificate/key to none.
sol14806: Overview of the Server SSL profile (11.x)
https://support.f5.com/kb/en-us/solutions/public/14000/800/sol14806.html
boommen_197293Thanks for the reply nitass, when i set the cert and key to none, my connection fails. I must be configuring something incorrectly. Your response does help me understand the server side role better though- nitass_89166you may try tcpdump/ssldump to see what the wrong is.
nitassEmployee
but when generating the server side CSR, does the CN need to match that, or can it be named anything i choose?
certificate/key in serverssl profile is used when pool member does client certificate authentication (bigip acts as client to pool member). in short, you should not need it and can set certificate/key to none.
sol14806: Overview of the Server SSL profile (11.x)
https://support.f5.com/kb/en-us/solutions/public/14000/800/sol14806.html- boommen_197293Thanks for the reply nitass, when i set the cert and key to none, my connection fails. I must be configuring something incorrectly. Your response does help me understand the server side role better though
- nitassyou may try tcpdump/ssldump to see what the wrong is.