Forum Discussion

Nimbostratus

Mar 17, 2010

SSL Certificates and PKI

Our application allows users to log in to the web server using PKI certificates and all SSL offloading is done on the server. I was wondering if you could have a client connect to the B...

config

design

Kevin_Stewart

Employee

Oct 03, 2012

Exactly! Given a copy of the server's private key, ProxySSL becomes a party to the key negotiation between the client and server so that it has a copy of the derived session key used for encryption. So while the BIG-IP is technically decrypting and re-encrypting, the client and server are completely unaware.

That said, there are some limitations to what you can do with ProxySSL. The client and server have to be able to negotiate their SSL session uninterrupted. Any iRules you use must not alter the path or flow of the traffic.

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

SSL Certificates and PKI

F5 Academy at AppWorld 2026

Aswin MK - November 2025 Featured Member

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

CVE mitigation on F5 XC vs classic F5 WAF

Could not communicate with the system. Try to reload page.

F5 XC 503 upstream_reset_before_response_started{protocol_error}

UCS Encryption Question

BIG-IP VE: 40G Throughput from 4x10G physical NICs

Related Content

Updating SSL Certificates on BIG-IP using REST API

Automating Certificate Management on F5 BIG-IP

Implementing SSL Orchestrator - Certificate Considerations

SSL Certificate Report

Automating ACMEv2 Certificate Management on BIG-IP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS