cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

2 way ssl facing pool member

f5mkuDefault
Cirrus
Cirrus

hi experts,

 

just want to check, have anyone tried to enable 2 way ssl from which F5 is the client?

We know enabling the 2 way on the client ssl profile, this method F5 is the one authenticating client.

 

How about when it is facing the server? Server will enable 2 way ssl, F5 will be the client. Is this possible?

 

TIA

1 ACCEPTED SOLUTION

Hi TIA,

 

yes, this is possible. In my loadbalancing pool, I have two nginx servers with the following config:

# HTTPS virtual server server { listen 8443 ssl; server_name _; ssl_certificate /etc/ssl/certs/nginx.crt; ssl_certificate_key /etc/ssl/private/nginx.key; ssl_client_certificate /etc/ssl/certs/My_Domain_Issuing_CA.crt;

And in the Server SSL Profile I configured the following.

ltm profile server-ssl pr_serverssl_mtls { app-service none cert ffive01.mydomain.com defaults-from pr_serverssl key ffive01.mydomain.com }

The cert is issued by My_Domain_Issuing_CA. That's all it needs.

 

KR

Daniel

View solution in original post

2 REPLIES 2

Hi TIA,

 

yes, this is possible. In my loadbalancing pool, I have two nginx servers with the following config:

# HTTPS virtual server server { listen 8443 ssl; server_name _; ssl_certificate /etc/ssl/certs/nginx.crt; ssl_certificate_key /etc/ssl/private/nginx.key; ssl_client_certificate /etc/ssl/certs/My_Domain_Issuing_CA.crt;

And in the Server SSL Profile I configured the following.

ltm profile server-ssl pr_serverssl_mtls { app-service none cert ffive01.mydomain.com defaults-from pr_serverssl key ffive01.mydomain.com }

The cert is issued by My_Domain_Issuing_CA. That's all it needs.

 

KR

Daniel

thanks Daniel. This helps a lot!