SSL Encryption with Default server ssl profile

Question

How does SSL encryption happens with default server ssl profile?
Why does the certificate needs to be the same on LTM and pool members? Can the certificate on client-ssl profile and pool members have the same hostname but different intermediate and root certificate?&nbsp;

rob_carr · Answer

How does SSL encryption happens with default server ssl profile?
&nbsp;This is a really big question, can you perhaps offer a bit more focused question?&nbsp;
Why does the certificate needs to be the same on LTM and pool members?&nbsp;
The certificate configured on an SSL enabled (e.g. has a clientssl profile) does not need to match the certificate configured on the pool members.  It's common to have a commercially signed certificate on the VIP and self-signed certificates on pool members.&nbsp;
Can the certificate on client-ssl profile and pool members have the same hostname but different intermediate and root certificate?
&nbsp;I can't see any reason why not.  The serverssl profile, which controls negotiation of SSL between the BIG-IP and pool members doesn't need a validated certificate on the pool member, it just needs any certificate in order to be able to negotiate a connection.&nbsp;

rob_carr_76748 · Answer

How does SSL encryption happens with default server ssl profile?
&nbsp;This is a really big question, can you perhaps offer a bit more focused question?&nbsp;
Why does the certificate needs to be the same on LTM and pool members?&nbsp;
The certificate configured on an SSL enabled (e.g. has a clientssl profile) does not need to match the certificate configured on the pool members.  It's common to have a commercially signed certificate on the VIP and self-signed certificates on pool members.&nbsp;
Can the certificate on client-ssl profile and pool members have the same hostname but different intermediate and root certificate?
&nbsp;I can't see any reason why not.  The serverssl profile, which controls negotiation of SSL between the BIG-IP and pool members doesn't need a validated certificate on the pool member, it just needs any certificate in order to be able to negotiate a connection.&nbsp;

raghavendrasy · Answer

In simple layman language client SSL profile is encrypting the traffic from end user to virtual server on F5 and server ssl profile is encrypting the traffic from F5 to servers.&nbsp;

Forum Discussion

SSL Encryption with Default server ssl profile

3 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

TLS handshake failure from BIG-IP to backend – Fatal Alert: Decode Error (Server SSL)

Unblock Request WAF

Share what you learned on DevCentral in 2025

Failing over Virtual F5 VE to DR location using Zerto

Failing over of a Virtual F5 configuration to another location using Zerto restore process

Related Content

Decrypt, Encrypt, Decrypt, Encrypt, Encrypt....

Let's Encrypt

Automate Let's Encrypt Certificates on BIG-IP

Encrypted UCS Backup with REST-API

Load Balancing TCP TLS Encrypted Syslog Messages

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS