Forum Discussion
J_Saunders_4728
Nimbostratus
NimbostratusSSL Certificate on F5 VIP and Real
All,
I have the following requirement:
I have a VIP with a Verisign certificate configured on it. The VIP listens on port 443, and the Reals/Members listen on port 443. It has been requested to have a self-signed cert on the Server (The Reals) in addition to the Cert installed on the VIP.
My Question:
A self-signed cert has been configured on the server. Is there anything I need to do on the F5 side?
Thanks
HamishCirrocumulus
The minimum on the F5 side is to add server_ssl to the VS so that it will negotiate the SSL/TLS when it connects to the servers. That should work as it is. If you require any options on the server_ssl then create a new server ssl profile, using the server_ssl as a parent and just over-ride the changes in the new profile configuration (Then add the new profile to the VS).
If you already have a custom server ssl profile on your VS then you MAY need to alter it, depending on what is set. But the default one should work fine.
H
J_Saunders_4728Thanks for the quick reply.
So from a configuration perspecitve, assuming this is a basic SSL config on the server side, I just need to enable the default SSL Server Profile (serverssl) on the VIP?
Michael_YatesCorrect. If you have any SSL Certificate on the Server, just set the Server SSL.
The F5 won't care if it is a Self-Signed SSL Certificate or even Expired.
Just verify that the application doesn't mind using a Self-Signed Certificate.- J_Saunders_4728So by enabling the Server profile does this basically 'turn on' encryption for the F5-to-Real_Server communication? Even tho the server listener is 443, its not encrypted until you enable Server side SSL?
Thanks - natheYes, basically Client SSL Profile decrypts and the Server SSL Profile encrypts the traffic.
Rgds
N - J_Saunders_4728I have an additional question about the Self-Singed cert on the server.
If the Self-signed cert expires on the Server, what happens?
- will the communcation between the F5 and Server cease to function?
- will the users connecting to the VIP (that uses this server) see anything?
Thanks - hoolio
Cirrostratus
Nothing will happen unless you are using a server SSL profile which checks for the server cert validity. The client SSL session is independent of anything on the serverside. As long as the serverside connection can be established, the client will not be impacted by anything related to the SSL handshake on the serverside. If the server SSL profile has a server cert set to require, I expect LTM would not complete the serverside handshake and the clientside connection would be timed out or closed.
Aaron - J_Saunders_4728Thanks Hoolio.
I used the default Server SSL Profile called 'serverssl'. Is 'server cert validity' disabled by default? What option/setting would identify the state of cert validity checking? - Michael_YatesYes. It is disabled / set to ignore by default.
Server Authentication under the SSL Profile (Server) has these options:
Ignore: Specifies that the system is to ignore certificates from server systems. This is the default value.
Require: Specifies that the system is to require a server to present a valid certificate. - hoolioIt's under the server cert section on the server SSL profile. If you change Server Certificate from the default of 'ignore' to 'require', LTM will check the start and end dates of the cert and not complete a handshake for an invalid cert. You can also configure a name to look for in the common name field of the server cert. If you want LTM to check the client cert issuer, you can configure a trusted CA cert bundle in the server SSL profile.
Aaron