Virtual server with server side profile : Do I need a cert on the backend servers?

Thank you. So, it means even if I keep the default profile ‘serverssl’ with the default setting for the virtual server , I HAVE TO have the private cert on the backend server(e.g. IIS) and maintain them?

As Quantiti stated, this depends on whether or not you re-encrypt to the backend server. If you don't, then no serverssl profile is required. If you do, then the backend server must possess a server certificate and private key. Normally you'd can't enable an Apache or IIS server for encryption without specifying these.

But it's also important to understand that the cert and key on the backend server doesn't have to be a public, purchased set. You can very easily use a generic internally-crafted cert and key. The default serverssl profile is defined to ignore certificate trust errors.

SSL/TLS encryption relies on certificates and private keys. Any server that wants to do TLS MUST possess a certificate and associated private key. However, BIG-IP doesn't care what cert and key you use on the internal application server, as it will ignore any untrusted cert warnings. You can literally attach an internally-created self-signed cert and key to the web server that doesn't expire for 42 years.