SSL Bridging - trying to understand "further" about ProfilesSSLServerserverssl

Question

Im trying to understand different points of views in regards to serverssl profile and how to properly use it.  &nbsp;
Let me give my rudimentary understanding and Im hoping for others to fill in the holes...  &nbsp;
Client in the cloud connects to a VS on 443 and the SSL (client profile) gets terminated on the F5.  SSL Bridging takes place and use the server profile "serverssl" to re-encrypt.443 traffic from the LTM gets terminated from the web server using the SSL cert located on the server itself.
This is my question?  Do I need to modify my "serverssl" profile to have a matching key/crt with the IIS server ssl cert?  From my understanding... thats a NO!  The serverssl profile only treats the LTM as a new client and the LTM itself, acting like a client, receives the SSL information from the IIS server.  &nbsp;
But Im being informed that it will not work unless I match the serverssl profile with a key/crt with the corresponding IIS cert.  Please shed light!!!&nbsp;

kevin_stewart · Answer

Your original assumption is correct. In most cases, you don't have to modify the default serverssl profile. The certificate and key options in the server ssl profile are for the odd chance that you want to pass a client certificate in the SSL handshake between the F5 and the backend server. It's always going to be a single static certificate, so this option is rarely used. In a typical SSL handshake, one that does not require mutual authentication, the server sends its certificate to the client and the client determines if it trusts that certificate. If you're familiar with the prompt a browser pops up if a server certificate isn't trusted, that's generally because either 1) you used an IP address in the address bar, 2) the server certificate is expired, or 3) you don't have an explicit chain of trust with the issuer of the server's certificate. The server SSL profile would experience that same thing, but is programmed to ignore certificate warnings in the absence of any specific configuration to act otherwise.

Forum Discussion

SSL Bridging - trying to understand "further" about Profiles>SSL>Server>serverssl

1 Reply

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

TLS handshake failure from BIG-IP to backend – Fatal Alert: Decode Error (Server SSL)

Failing over Virtual F5 VE to DR location using Zerto

Failing over of a Virtual F5 configuration to another location using Zerto restore process

F5 Networks F5CAB1 Exam - Need Help Regarding Prep

Username is not filled in EdgeClient in the Modern customization

Related Content

Understanding iApps

Understanding IPSec IKEv2 negotiation on Wireshark

Understanding IPSec IKEv1 negotiation on Wireshark

Understanding Performance Metrics and Network Traffic

Understanding Modern Application Architecture - Part 1

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS