Forum Discussion

Michaelyang's avatar
Michaelyang
Icon for Cirrostratus rankCirrostratus
Nov 16, 2022
Solved

Client vs Server SSL profile

Hello, Here's my structure client side - [client ssl profile ] - big-ip - [server ssl profile ] - server side   If the server has its own certificate and key, do the F5 client SSL profile and s...
application delivery
  • Mohamed_Ahmed_Kansoh's avatar
    Mohamed_Ahmed_Kansoh
    Nov 16, 2022

    Hi Michaelyang
      As Amine_Kadimi , its mandatory to implement client and server side ssl profile. 

    > Regarding Client side :

    -  you must install a valid signed certificate from CA and its relevant key.

    -  In Full Proxy architecture mode , you need to add client ssl profile " attached to it ( Valid signed Digital Certificate , and Key ) " 

    -  then , assign this profile to your virtual server.
    -  that’s For ssl termination and Traffic Decryption on F5. 
     
    >regarding Servers side : 
    -  F5 able to initiate a secure connection again with servers by using the default server side ssl profile "serverssl"  , it is sufficient for that as long you do not want to put restrictions on specific Cipher suites or Authenticate by using certificate in this case you need to create a custom server ssl profile and change some configuration on this profile depending on your requirements.
    -  So it is not mandatory to put the server certificate on servers side ssl profile , as the default profile can accept "any" and Re-encrypt traffic again as well. 

    - Assigning servers ssl profile means that you want F5 it self to act as a ssl client to backend servers. 

    Regards.

Mohamed_Ahmed_Kansoh's avatar
Mohamed_Ahmed_Kansoh
Icon for MVP rankMVP
Nov 16, 2022

Hi Michaelyang
  As Amine_Kadimi , its mandatory to implement client and server side ssl profile. 

> Regarding Client side :

-  you must install a valid signed certificate from CA and its relevant key.

-  In Full Proxy architecture mode , you need to add client ssl profile " attached to it ( Valid signed Digital Certificate , and Key ) " 

-  then , assign this profile to your virtual server.
-  that’s For ssl termination and Traffic Decryption on F5. 
 
>regarding Servers side : 
-  F5 able to initiate a secure connection again with servers by using the default server side ssl profile "serverssl"  , it is sufficient for that as long you do not want to put restrictions on specific Cipher suites or Authenticate by using certificate in this case you need to create a custom server ssl profile and change some configuration on this profile depending on your requirements.
-  So it is not mandatory to put the server certificate on servers side ssl profile , as the default profile can accept "any" and Re-encrypt traffic again as well. 

- Assigning servers ssl profile means that you want F5 it self to act as a ssl client to backend servers. 

Regards.