Self Signed cert on Server and external CA cert on F5

Question

Hi,&nbsp;
In a recent requirement, I have to use SSL encryption in between client to F5 and F5 to back end servers communication. 
I am familiar with the first one which will be served by external CA and at the F5 end client side SSL profile will be used. &nbsp;
But my query is on the second one i.e. F5 to back end servers. As per the requirement self-signed certificate will be used at the back end servers. &nbsp;
Please clarify the below queries?&nbsp;
As self-signed certificate will be used so do we need to import the server certificate and key under server SSL profile in F5?If yes, is there any other way around this can be done without importing the certificate in F5.
Thanks/Som&nbsp;

martijn_144688 · Accepted Answer

Hi,&nbsp;
When the backend server is using self signed certificates, you can use the serverssl-insecure-compatible SSL profile on the server side.&nbsp;
This way, the F5 accepts the self signed certificate without the need to import anything on the F5.&nbsp;
Regards,
Martijn.&nbsp;

som_86408 · Answer

Thanks but as far as I know the server-insecure-compaitable ssl profile is used if weak cypher is used at the server end certificate.&nbsp;
Are you sure that this can be used at the f5 end in case of self signed certificate also?
Please confirm.&nbsp;
Thanks.&nbsp;

som_86408 · Answer

Thanks but as far as I know the server-insecure-compaitable ssl profile is used if weak cypher is used at the server end certificate.&nbsp;
Are you sure that this can be used at the f5 end in case of self signed certificate also?
Please confirm.&nbsp;
Thanks.&nbsp;

martijn_van_de1 · Answer

Hi,&nbsp;
The best way is to use a valid certificate on the server that suits your security requirements and make sure the F5 accepts (trust) this certificate.&nbsp;
If you use a self signed certificate and you have minimum control on the ciphers being used, the server-insecure-compatible is the best option.&nbsp;
You can create your own server SSL profile (maybe based on the server-insecure-compatible profile) and change the ciphers in Advanced settings.&nbsp;
Martijn&nbsp;

martijn_144688 · Answer

Hi,&nbsp;
The best way is to use a valid certificate on the server that suits your security requirements and make sure the F5 accepts (trust) this certificate.&nbsp;
If you use a self signed certificate and you have minimum control on the ciphers being used, the server-insecure-compatible is the best option.&nbsp;
You can create your own server SSL profile (maybe based on the server-insecure-compatible profile) and change the ciphers in Advanced settings.&nbsp;
Martijn&nbsp;

Forum Discussion

Self Signed cert on Server and external CA cert on F5

8 Replies

Recent Discussions

Rundeck ansible F5 errors

What is the meaning is 52% block in WAF

rewrite Azure AD response for portal access via web portal

AS3 Monitoring multiple ports selectively

Open Redirection Mitigation

Related Content

Virtual Server Cannot Access External Pool Members

external URL redirection

F5 External IP

GTM Design For External DNS Queries

Export device backups from BIG-IQ to an external FTP