F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Danny_Arroyo's avatar
Danny_Arroyo
Icon for Cirrus rankCirrus
Jul 13, 2022

Does the F5 LTM communicate securely to a pool member that has a self signed certificate?

Hi. We have a HA pair of i2600 LTMs running 15.1.2.1.  We want to ensure end to end encryption for all our Websites.  We currently have our F5 presenting Trusted public certificates client side.  On...
security
self-signed-certificate serverside end-to-end-encryption
Danny_Arroyo's avatar
Danny_Arroyo
Icon for Cirrus rankCirrus
Jul 14, 2022

Thanks for this information Stephan.  I was not aware of this either.  I will read through the link you provided and get this implemented.

However, based on the standard configuration of our VIPs on the BigIP (that I listed in my last reply), are we still doing end to end encryption?  I am concerned because currently, we dont add the self-signed certificate to the BIG-IP's "Trusted Certificate Authorities".  And from what Rodrigo_Albuque mentioned it means that the self signed cert is not trusted.  Therefore is our traffic from the BigIP to our Pool members secure?

StephanManthey's avatar
StephanManthey
Icon for Nacreous rankNacreous
Jul 14, 2022

I guess, you don´t have activated the setting of Server Authentication : Server Certificate == require in your serverssl profile. So the ca-bundle.crt in the Trusted Certificate Authorities setting will be simply ignored.

It would be required to add the self signed server certificates to a certificate bundle and use it at Trusted Certificate Authorities. If you now modify Server Authentication : Server Certificate from "ignore" (default) to "require" you should be safe.