Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

2 way ssl facing pool member

Go to solution
f5mkuDefault
Cirrus
Cirrus

‎08-Apr-2021 01:58

hi experts,

 

just want to check, have anyone tried to enable 2 way ssl from which F5 is the client?

We know enabling the 2 way on the client ssl profile, this method F5 is the one authenticating client.

 

How about when it is facing the server? Server will enable 2 way ssl, F5 will be the client. Is this possible?

 

TIA

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Daniel_Wolf
Nacreous
Nacreous

‎08-Apr-2021 12:28 - last edited on ‎04-Jun-2023 20:58 by Fog

Hi TIA,

yes, this is possible. In my loadbalancing pool, I have two nginx servers with the following config:

# HTTPS virtual server
server {
        listen 8443 ssl;
        server_name _;
        ssl_certificate /etc/ssl/certs/nginx.crt;
        ssl_certificate_key /etc/ssl/private/nginx.key;
	ssl_client_certificate /etc/ssl/certs/My_Domain_Issuing_CA.crt;

And in the Server SSL Profile I configured the following.

ltm profile server-ssl pr_serverssl_mtls {
    app-service none
    cert ffive01.mydomain.com
    defaults-from pr_serverssl
    key ffive01.mydomain.com
}

The cert is issued by My_Domain_Issuing_CA. That's all it needs.

KR

Daniel

View solution in original post

0 Kudos
2 REPLIES 2

Go to solution
Daniel_Wolf
Nacreous
Nacreous

‎08-Apr-2021 12:28 - last edited on ‎04-Jun-2023 20:58 by Fog

Hi TIA,

yes, this is possible. In my loadbalancing pool, I have two nginx servers with the following config:

# HTTPS virtual server
server {
        listen 8443 ssl;
        server_name _;
        ssl_certificate /etc/ssl/certs/nginx.crt;
        ssl_certificate_key /etc/ssl/private/nginx.key;
	ssl_client_certificate /etc/ssl/certs/My_Domain_Issuing_CA.crt;

And in the Server SSL Profile I configured the following.

ltm profile server-ssl pr_serverssl_mtls {
    app-service none
    cert ffive01.mydomain.com
    defaults-from pr_serverssl
    key ffive01.mydomain.com
}

The cert is issued by My_Domain_Issuing_CA. That's all it needs.

KR

Daniel

0 Kudos

Go to solution
f5mkuDefault
Cirrus
Cirrus
In response to Daniel_Wolf

‎14-Apr-2021 01:26

thanks Daniel. This helps a lot!

0 Kudos
Copyright © 2023 Khoros, LLC