Self Signed cert on Server and external CA cert on F5

Hi,

In a recent requirement, I have to use SSL encryption in between client to F5 and F5 to back end servers communication. I am familiar with the first one which will be served by external CA and at the F5 end client side SSL profile will be used.

But my query is on the second one i.e. F5 to back end servers. As per the requirement self-signed certificate will be used at the back end servers.

Please clarify the below queries?

As self-signed certificate will be used so do we need to import the server certificate and key under server SSL profile in F5?
If yes, is there any other way around this can be done without importing the certificate in F5.

Thanks/Som

Martijn_144688
Jun 04, 2018
Hi,

When the backend server is using self signed certificates, you can use the serverssl-insecure-compatible SSL profile on the server side.

This way, the F5 accepts the self signed certificate without the need to import anything on the F5.

Regards, Martijn.

Martijn_144688
Cirrostratus
Jun 04, 2018
Hi,

When the backend server is using self signed certificates, you can use the serverssl-insecure-compatible SSL profile on the server side.

This way, the F5 accepts the self signed certificate without the need to import anything on the F5.

Regards, Martijn.
- som_86408
  Nimbostratus
  Jun 04, 2018
  Thanks but as far as I know the server-insecure-compaitable ssl profile is used if weak cypher is used at the server end certificate.
  
  Are you sure that this can be used at the f5 end in case of self signed certificate also? Please confirm.
  
  Thanks.
- Martijn_144688
  Cirrostratus
  Jun 06, 2018
  Hi,
  
  The best way is to use a valid certificate on the server that suits your security requirements and make sure the F5 accepts (trust) this certificate.
  
  If you use a self signed certificate and you have minimum control on the ciphers being used, the server-insecure-compatible is the best option.
  
  You can create your own server SSL profile (maybe based on the server-insecure-compatible profile) and change the ciphers in Advanced settings.
  
  Martijn
- som_86408
  Nimbostratus
  Jun 06, 2018
  thanks a lot Martijn.
MvdG
Cirrus
Jun 04, 2018
Hi,

When the backend server is using self signed certificates, you can use the serverssl-insecure-compatible SSL profile on the server side.

This way, the F5 accepts the self signed certificate without the need to import anything on the F5.

Regards, Martijn.
- som_86408
  Nimbostratus
  Jun 04, 2018
  Thanks but as far as I know the server-insecure-compaitable ssl profile is used if weak cypher is used at the server end certificate.
  
  Are you sure that this can be used at the f5 end in case of self signed certificate also? Please confirm.
  
  Thanks.
- MvdG
  Cirrus
  Jun 06, 2018
  Hi,
  
  The best way is to use a valid certificate on the server that suits your security requirements and make sure the F5 accepts (trust) this certificate.
  
  If you use a self signed certificate and you have minimum control on the ciphers being used, the server-insecure-compatible is the best option.
  
  You can create your own server SSL profile (maybe based on the server-insecure-compatible profile) and change the ciphers in Advanced settings.
  
  Martijn
- som_86408
  Nimbostratus
  Jun 06, 2018
  thanks a lot Martijn.

Forum Discussion

Self Signed cert on Server and external CA cert on F5

Recent Discussions

Should config via cli rather than gui?

Background Tasks

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

F5 Health Monitor Receive String as JSON

Related Content

Filtering unused External SP Connectors

F5 External Logon Page

SSL Heartbleed server side iRule

External Data Group list - Integer, String, Address

Create a virtual server on internal vlan

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS