I import pfx certifcate in f5 and it is included certificate and key , when associate this certifcate ((client ssl)) site is not working (when i removed from virtual server under client ssl , site is working normally) Please advise I have other question , shall i meed to remove certifcate from iis on server ?!?

If your pool members are HTTP(port 80) you can just have the clientssl profile. If your pool members are HTTPS(port 443) you will also need a serverssl profile to re-encrypt since your servers are listening on 443.

Servers are using https (nodes) so please can you advise , what is server ssl?!? Can iuse same cer and key that use for ssl client?!

The serverssl profile does not require a certificate to be configured. You can use the default serverssl profile. If you need additional certificate validation you can configure that in the Server Authentication section of the server ssl profile, but it is not necessary to make it work. https://support.f5.com/kb/en-us/solutions/public/14000/800/sol14806.html

I want to thank you for your support . So i need just to add default server profile that used in f5 is that right ?!? From server side i do not need to remove certficate is that right?!? I have question , when i asked ststem admin to downlad certificate from (symantec) , he choose f5 as server and symantec provide us two cert (x.cert and intermediate CA)this make me be confused?!?? But i entered on MMC (windows) and i export certificate with private key in x.pfx , is that good procedure?!?

yes, default serverssl profile will work. Do not remove the cert from the server. Yes, you can export the pfx from the mmc, but I would recommend including the chain by checking "Include all certificates in the certification path if possible" when exporting.

SSL offload - pfx certificate

15 Replies

Brad_Parker
Cirrus
Sep 01, 2015
If your pool members are HTTP(port 80) you can just have the clientssl profile. If your pool members are HTTPS(port 443) you will also need a serverssl profile to re-encrypt since your servers are listening on 443.
DC_Jordan_18536
Nimbostratus
Sep 01, 2015
Servers are using https (nodes) so please can you advise , what is server ssl?!? Can iuse same cer and key that use for ssl client?!
Brad_Parker
Cirrus
Sep 01, 2015
The serverssl profile does not require a certificate to be configured. You can use the default serverssl profile. If you need additional certificate validation you can configure that in the Server Authentication section of the server ssl profile, but it is not necessary to make it work.

https://support.f5.com/kb/en-us/solutions/public/14000/800/sol14806.html
DC_Jordan_18536
Nimbostratus
Sep 01, 2015
I want to thank you for your support .

So i need just to add default server profile that used in f5 is that right ?!?

From server side i do not need to remove certficate is that right?!?

I have question , when i asked ststem admin to downlad certificate from (symantec) , he choose f5 as server and symantec provide us two cert (x.cert and intermediate CA)this make me be confused?!??

But i entered on MMC (windows) and i export certificate with private key in x.pfx , is that good procedure?!?
- Brad_Parker
  Cirrus
  Sep 01, 2015
  yes, default serverssl profile will work. Do not remove the cert from the server. Yes, you can export the pfx from the mmc, but I would recommend including the chain by checking "Include all certificates in the certification path if possible" when exporting.
DC_Jordan_18536
Nimbostratus
Sep 01, 2015
Thanks again , so for server ssl , i will go under virtual server and add server ssl and add default profile,is that right?!?

I will try tomorrow to export x.pfx as you mentioned above .

I have question if i am not include chain , this will make problems?!?

If iam i am used x.pfx without check your option and use inermediate ca that provided by symantic , is that right?!?

So i do not need to useopenssl to convert x.pfx to cert and key , is that right?

I am so sorry if i am asking a lot
- Brad_Parker
  Cirrus
  Sep 01, 2015
  yes, default serverssl profile. You need the chain in some way on the F5 in the clientssl profile or else users will get errors. If you only export the cert and key in the pfx you can add the intermediate in the "chain" drop down in the clientssl profile. No you do not need to convert the pfx. F5 can natively import the pfx.
DC_Jordan_18536
Nimbostratus
Sep 01, 2015
I will try your recommendations and advice tomorrow ,

I have last question , when export certifcate to x.pfx , it is ask for password , this password will be used when import certifcate to f5 just (file managment ssl prifile) no need for this password when go under profiles client ssl , passphrase is that right?
- Brad_Parker
  Cirrus
  Sep 01, 2015
  no you don't need a password in the clientssl profile unless you choose to secure the key on the F5 when importing it. The password when exporting is just used to import into the F5 or anything else you are importing it into.
- Brad_Parker
  Cirrus
  Sep 01, 2015
  no you don't need a password in the clientssl profile unless you choose to secure the key on the F5 when importing it. The password when exporting is just used to import into the F5 or anything else you are importing it into.
DC_Jordan_18536
Nimbostratus
Sep 01, 2015
Thanks you very much , i hope tomorrow , every thing is working based on your advice :)
julian_mata_164
Nimbostratus
Sep 02, 2015
i had somewhat of the same problem, and i had to change my .pfx ext to .crt and that got imported just fine with out any issues.
DC_Jordan_18536
Nimbostratus
Sep 02, 2015
It is working now , thanks brad .

Note : it is working when i choose in server ssl (apm-defaulr-server) other profile are not working , do u have any idea
- Brad_Parker
  Cirrus
  Sep 02, 2015
  You are most welcome.
DC_Jordan_18536
Nimbostratus
Sep 02, 2015
Brad just a wuestion why just apm-default-server profile is working other onne are not working