Forum Discussion

f5mkuDefault's avatar
Apr 08, 2021
Solved

2 way ssl facing pool member

hi experts,

 

just want to check, have anyone tried to enable 2 way ssl from which F5 is the client?

We know enabling the 2 way on the client ssl profile, this method F5 is the one authenticating client.

 

How about when it is facing the server? Server will enable 2 way ssl, F5 will be the client. Is this possible?

 

TIA

  • Hi TIA,

    yes, this is possible. In my loadbalancing pool, I have two nginx servers with the following config:

    # HTTPS virtual server
    server {
            listen 8443 ssl;
            server_name _;
            ssl_certificate /etc/ssl/certs/nginx.crt;
            ssl_certificate_key /etc/ssl/private/nginx.key;
    	ssl_client_certificate /etc/ssl/certs/My_Domain_Issuing_CA.crt;

    And in the Server SSL Profile I configured the following.

    ltm profile server-ssl pr_serverssl_mtls {
        app-service none
        cert ffive01.mydomain.com
        defaults-from pr_serverssl
        key ffive01.mydomain.com
    }

    The cert is issued by My_Domain_Issuing_CA. That's all it needs.

    KR

    Daniel

2 Replies

  • Hi TIA,

    yes, this is possible. In my loadbalancing pool, I have two nginx servers with the following config:

    # HTTPS virtual server
    server {
            listen 8443 ssl;
            server_name _;
            ssl_certificate /etc/ssl/certs/nginx.crt;
            ssl_certificate_key /etc/ssl/private/nginx.key;
    	ssl_client_certificate /etc/ssl/certs/My_Domain_Issuing_CA.crt;

    And in the Server SSL Profile I configured the following.

    ltm profile server-ssl pr_serverssl_mtls {
        app-service none
        cert ffive01.mydomain.com
        defaults-from pr_serverssl
        key ffive01.mydomain.com
    }

    The cert is issued by My_Domain_Issuing_CA. That's all it needs.

    KR

    Daniel