F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

wallst32_178793's avatar
wallst32_178793
Icon for Nimbostratus rankNimbostratus
Jan 06, 2016

SSL profile client configuration

I installed a new SSL certificate on an F5 LTM, and created a new SSL client profile for it via the web GUI. I decided to use TMSH (ltm profile client-ssl profile-name) to compare the configuration to existing SSL client profiles currently in use, to standardize the settings and ensure nothing was missing. What I found was the existing profiles all had add additional "settings" in them; specifically:

 

cert my-cert-name.crt

 

chain none

 

key my-cert-name.key

 

passphrase none

 

I'm not sure where these settings would be configured via the web GUI, and also they appear redundant of the information that is contained in the cert-key-chain block (which exists on both the existing and new profiles). The new profile was attached to a test VIP and it server the SSL certificate without issue.

 

Please advise; thanks.

 

application delivery
BIG-IP
LTM

5 Replies

  • Amine_Kadimi's avatar
    Amine_Kadimi
    Icon for MVP rankMVP
    Jan 06, 2016

    Hi,

     

    Did you make sure your ssl client profile is using your configured cert/key pair? In the latest versions of TMOS (>= 11.5.0 but I'm not sure) you have to not only select key and pair from the drop-down boxes but you need to also click 'Add' to add them to the list.

     

  • wallst32_178793's avatar
    wallst32_178793
    Icon for Nimbostratus rankNimbostratus
    Jan 07, 2016

    We are running TMOS version 11.6. I believe the cert/keypair is selected correctly. The items were selected from the drop downs, and the ADD button was clicked which puts the entry in the GUI "box". Also, those should be the settings responsible for creating the "cert-key-chain" block shown in the config.

     

    • Amine_Kadimi's avatar
      Amine_Kadimi
      Icon for MVP rankMVP
      Jan 07, 2016
      This is weird. What happens if you associate your created profile with a https VS and then open a browser to that VS and display the certificate from the browser, did you see the default F5 cert or yours?
    • wallst32_178793's avatar
      wallst32_178793
      Icon for Nimbostratus rankNimbostratus
      Jan 07, 2016
      The correct certificate loads in a browser in both cases; when the SSL Profile contains the "chain" and when it does not. When the "chain" is not included, I used third party "SSL checkers" to confirm the chain validation. That is why I stated in my other comment I wasn't really sure if these additional settings are required. The chain bundle is already specified in the SSL profile (Client Authentication - Trusted Certificate Authorities).
  • wallst32_178793's avatar
    wallst32_178793
    Icon for Nimbostratus rankNimbostratus
    Jan 07, 2016

    This issue was "resolved" by adding the CA chain cert in addition to the certificate and the key. I'm not really sure its required as the CA bundle is already specified elsewhere in the profile, and the profile works without out.