Forum Discussion

Blue_whale's avatar
Blue_whale
Icon for Cirrocumulus rankCirrocumulus
Feb 27, 2024
Solved

what is the use of Passphrase in client SSL profile ?

Hi Team , 

 

When we attach the CERT and key to client SSL profile on the F5 , there is also a Passphrase box and we enter that password in the Passphrase box. What is the use of it ? why do we need it ? Will it change anything for the client when he access the url ?

 

 

 cert ASMssl_443.crt
 chain ASMssl_443_CA.crt
 key ASMssl_443.key
 passphrase $M$jZ$w+A2n4vT617oOULB+VN1vA==

  • Hi Blue_whale,

    You have two types of passphrases for certificates:

    1. the first is when you upload your PEM, or PFX bundle certificate and this has a password to protect the file.
    2. the second is when the master key is a passphrase-protected, and in this case, you have to set the passphrase in the client SSL.

    So, it doesn´t change anything for the client, this is an extra security layer to protect the master key and keep it encrypted in the F5, normally if the master key is not encrypted you can export it easily if you have access to the device.

    if you need more info about other SSL profile parameters please review this link:

    https://my.f5.com/manage/s/article/K14783

    Hope it works.

3 Replies

  • adding to Sebastiansierra

    SSL client certificate "package" contains private key (as seen as the ASMssl_443.key file in your question).
    the password is intended to protect that private key file.

  • Hi Blue_whale,

    You have two types of passphrases for certificates:

    1. the first is when you upload your PEM, or PFX bundle certificate and this has a password to protect the file.
    2. the second is when the master key is a passphrase-protected, and in this case, you have to set the passphrase in the client SSL.

    So, it doesn´t change anything for the client, this is an extra security layer to protect the master key and keep it encrypted in the F5, normally if the master key is not encrypted you can export it easily if you have access to the device.

    if you need more info about other SSL profile parameters please review this link:

    https://my.f5.com/manage/s/article/K14783

    Hope it works.