Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Did Serverssl profile require certificate?

kridsana
Cirrocumulus
Cirrocumulus

‎03-Mar-2023 02:44

Hi

We want to use F5 as SSL bridging (Decrypt using ssl client profile and re-encrypt using serverssl profile)

Problem is our server using self-sign root certificate and certificate name is IP server (eg. 10.10.10.1 )

How do we config SSL server profile ?

Should we just choose None on certificate setting?

Should we import self-sign root certificate server using into BIG-IP? where to import?

Thank you
Kridsana

 

Labels:
0 Kudos
5 REPLIES 5

Juergen_Mang
MVP
MVP

‎03-Mar-2023 04:29

It is not a requirement. The default server-ssl profile works without certifcate checking.

Checking the backend certificate enhances the security. Import is done like any other certificates System -> Certificate Management -> Traffic Certificate Management

kridsana
Cirrocumulus
Cirrocumulus
In response to Juergen_Mang

‎03-Mar-2023 07:24 - edited ‎03-Mar-2023 07:24

What if server using self-sign root certificate (eg. Internal-Root-Cert-only-we-have.crt)

Won't F5 have certificate error? because F5 didn't have that self-sign root cert.

 

0 Kudos

Mohamed_Ahmed_Kansoh
MVP
MVP

‎04-Mar-2023 14:49

Hi @kridsana , 
you don't need a certificate or key in server side , it will be fine with you. 
Let me explain some points. 

Imagine you you are browsing a website such as { F5.com } , will you need to setup a specified F5 digital certificate to visit their site ? Actually no , you do not need that , and this common in all public websites. 

So in the case of { SSL bridging } or adding server ssl , it's only you make Bigip to act as a client with the web application server/ pool member which locates behind your Bigip. 

The Bigip in this Case do what you do when visiting any website. 

even if the Server/pool member Certificates don't signed by Public CA , your Bigip will ignore this "trust" Challenge and proceed in ssl negotiations and establishing the needed secure connections between Bigip and the selected pool member. 

This make sense because as a client you don't have to offer a digital certificate to any website , but you as a client waits to receive the "Web site digital Certificate " signed by a well known CA , after that you as a client verifies this Certificate and it's valid duration and signature , then you as a client starts to the Key exchange phase with web site servers ( maybe it is a Bigip or any firewall has the server certificate /public key ..... ). 

Without going in-depth in ssl negotiations and connections , but your connections as a client similar to server side connections in case of ssl bridging , and you can achieve your requirements without adding extra certificates , I mean use the default ssl-server profile , it will not make issues with you.

I hope this helps you.

_______________________
Regards
Mohamed Kansoh

kridsana
Cirrocumulus
Cirrocumulus
In response to Mohamed_Ahmed_Kansoh

‎04-Mar-2023 15:55

Hi @Mohamed_Ahmed_Kansoh 

Thank you for explanation. I now understand F5 doesn't need to import root self-sign certificate of server into F5.

Can I ask one more question?

What happen if server IP 10.10.10.10 but they have certificate name different (not 10.10.10.10) ?  .... eg. CN is server hostname or have CN as ip 192.168.1.1 

Will F5 still ignore trust certificate and everything still working fine?

 

0 Kudos

Mohamed_Ahmed_Kansoh
MVP
MVP
In response to kridsana

‎04-Mar-2023 16:17

Yes @kridsana , 

It should work , Bigip ignores any certificate comes from server / pool members ... 

 

_______________________
Regards
Mohamed Kansoh
Copyright © 2023 Khoros, LLC