For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Ashish_M_Gupta_'s avatar
Ashish_M_Gupta_
Icon for Nimbostratus rankNimbostratus
Aug 20, 2018

Virtual server with server side profile : Do I need a cert on the backend servers?

If the VIP is assigned the default server SSL profile "serverssl" with default settings, do I need the cert on the backend servers for that virtual server? If not, why is that so? Under what circumst...
application delivery
BIG-IP
Lee_Sutcliffe's avatar
Lee_Sutcliffe
Icon for Nacreous rankNacreous
Aug 20, 2018

You require a certificate on your backend server when you want to encrypt the communication from the F5 to your backend server. Typically you would have a client SSL certificate too, encrypting communication between the client and the F5. This is commonly known as 'end-to-end encryption'.

 

You will need to maintain certificates on both your F5 (client-ssl) and separately on your web server.

 

You can use the server-ssl profile to instruct F5 that the backend is using encryption and to initiate a TSL handshake.

 

If you don't have certificates on the bankend server, you do not need a server-ssl profile. You would simply terminate SSL on the VIP and send un-encrypted traffic to the backend. This is typically known as 'SSL offload'