Forum Discussion

f5mkuDefault's avatar
f5mkuDefault
Icon for Cirrus rankCirrus
Apr 08, 2021
Solved

2 way ssl facing pool member

hi experts,   just want to check, have anyone tried to enable 2 way ssl from which F5 is the client? We know enabling the 2 way on the client ssl profile, this method F5 is the one authenticatin...
application delivery
BIG-IP
LTM
  • Daniel_Wolf's avatar
    Daniel_Wolf
    Apr 08, 2021

    Hi TIA,

    yes, this is possible. In my loadbalancing pool, I have two nginx servers with the following config:

    # HTTPS virtual server
server {
        listen 8443 ssl;
        server_name _;
        ssl_certificate /etc/ssl/certs/nginx.crt;
        ssl_certificate_key /etc/ssl/private/nginx.key;
	ssl_client_certificate /etc/ssl/certs/My_Domain_Issuing_CA.crt;

    And in the Server SSL Profile I configured the following.

    ltm profile server-ssl pr_serverssl_mtls {
    app-service none
    cert ffive01.mydomain.com
    defaults-from pr_serverssl
    key ffive01.mydomain.com
}

    The cert is issued by My_Domain_Issuing_CA. That's all it needs.

    KR

    Daniel

Daniel_Wolf's avatar
Daniel_Wolf
Icon for MVP rankMVP
Apr 08, 2021

Hi TIA,

yes, this is possible. In my loadbalancing pool, I have two nginx servers with the following config:

# HTTPS virtual server
server {
        listen 8443 ssl;
        server_name _;
        ssl_certificate /etc/ssl/certs/nginx.crt;
        ssl_certificate_key /etc/ssl/private/nginx.key;
	ssl_client_certificate /etc/ssl/certs/My_Domain_Issuing_CA.crt;

And in the Server SSL Profile I configured the following.

ltm profile server-ssl pr_serverssl_mtls {
    app-service none
    cert ffive01.mydomain.com
    defaults-from pr_serverssl
    key ffive01.mydomain.com
}

The cert is issued by My_Domain_Issuing_CA. That's all it needs.

KR

Daniel

  • f5mkuDefault's avatar
    f5mkuDefault
    Icon for Cirrus rankCirrus
    Apr 14, 2021

    thanks Daniel. This helps a lot!