serverssl profile with only certifikate - v10.0.1

Question

Hi,&nbsp;
I have VS with serverssl profile assigned that has only certificate configured, no private key. As far as I ubderstand purpose of assigning certificate to serverssl it doesn't make sense.&nbsp;
Such configuration is required only when LTM should be able to perform certificate based authentication as client - when target server is requiring it. Without private key it is not possible - Am I right here?&nbsp;
Problem is that in 10.0.1 it's possible to save profile with only cert assigned, it's not possible in 11.6.0 - GUI is displaying error - missing private key - seems logical.&nbsp;
However in v10 when VS has assigned serverssl profile with certificate only https connections to tarfget server are working. When default serverssl profile is assigned to the same server (so no cert and no private key) communication with target server is no more working.&nbsp;
Any ideas what could be the reason?&nbsp;
Piotr&nbsp;

nitass · Answer

Such configuration is required only when LTM should be able to perform certificate based authentication as client - when target server is requiring it. Without private key it is not possible - Am I right here?&nbsp;

i agree.&nbsp;

When default serverssl profile is assigned to the same server (so no cert and no private key) communication with target server is no more working.&nbsp;

have you tried tcpdump/ssldump? what did you get?&nbsp;

nitass_89166 · Answer

Such configuration is required only when LTM should be able to perform certificate based authentication as client - when target server is requiring it. Without private key it is not possible - Am I right here?&nbsp;

i agree.&nbsp;

When default serverssl profile is assigned to the same server (so no cert and no private key) communication with target server is no more working.&nbsp;

have you tried tcpdump/ssldump? what did you get?&nbsp;

dragonflymr · Answer

I have no direct access to the system, waiting for dump to be provided. Still profile that is working is only different from build in serverssl in are of certificate assigned. All other setting are the same as in build in profile - a bit strange that result of using build in profile is loss of communication with target server.
Here is working profile

server-ssl some_name {
    alert-timeout 60
    authenticate once
    authenticate-depth 9
    authenticate-name none
    ca-file none
    cache-size 20000
    cache-timeout 3600
    cert some.crt
    chain none
    ciphers DEFAULT
    crl-file none
    defaults-from serverssl
    handshake-timeout 60
    key none
    mod-ssl-methods disabled
    mode enabled
    options { dont-insert-empty-fragments }
    partition Common
    passphrase none
    peer-cert-mode ignore
    renegotiate-period indefinite
    renegotiate-size indefinite
    strict-resume disabled
    unclean-shutdown enabled

I was suspecting issues with ciphers but custom profile and build in profile are both using DEFAULT

Piotr

dragonflymr · Answer

I have no direct access to the system, waiting for dump to be provided. Still profile that is working is only different from build in serverssl in are of certificate assigned. All other setting are the same as in build in profile - a bit strange that result of using build in profile is loss of communication with target server.
Here is working profile

server-ssl some_name {
    alert-timeout 60
    authenticate once
    authenticate-depth 9
    authenticate-name none
    ca-file none
    cache-size 20000
    cache-timeout 3600
    cert some.crt
    chain none
    ciphers DEFAULT
    crl-file none
    defaults-from serverssl
    handshake-timeout 60
    key none
    mod-ssl-methods disabled
    mode enabled
    options { dont-insert-empty-fragments }
    partition Common
    passphrase none
    peer-cert-mode ignore
    renegotiate-period indefinite
    renegotiate-size indefinite
    strict-resume disabled
    unclean-shutdown enabled

I was suspecting issues with ciphers but custom profile and build in profile are both using DEFAULT

Piotr

dragonflymr · Answer

Hi,&nbsp;
To sum up - the issue was virtual. As I suspected certificate in this serverssl profile was not necessary (anyway it was pointless to set only certificate).&nbsp;
Admins just did not performed test as I advised them :-)&nbsp;
After doing it with my own hands magically VS started to work without certificate assigned to serverssl profile :-)&nbsp;
Piotr&nbsp;

Forum Discussion

serverssl profile with only certifikate - v10.0.1

5 Replies

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Syslog Filter Configuration for Separating Audit and LTM logs.

Use F5 APM as Forward Proxy

Forward proxy with SSL passthrough - SWG license required?

sslprovide (--f5 ssl) does not generate CLIENT/SERVER_TRAFFIC_SECRET on server-side TLS traffic

F5 Software Downgrade from version 17.x.x to 15.x.x

Related Content

Activate serverssl profile in iRule

F5 BIG-IP Advanced WAF – DOS profile configuration options.

F5 BIG-IP Advanced WAF – "dos profile" reporting

iControl REST Cookbook - Virtual Server Profile (LTM Virtual Profiles)

SSL Profiles Part 8: Client Authentication

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS