Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 

F5 monitor with client certificate chain




I am attempting to set up a monitor with client certificate authentication and I can configure the monitor with the key/cert appropriately, but there does not seem to be a method for sending the full trust chain with the request like I can with a server profile.


Can I set up a monitor that sends the trust chain with the client certificate during SSL? If so, how can I do this? If you have a link to documentation, that would be great too.





F5 Employee
F5 Employee

You may be able to create your client auth certificate with the appropriate intermediate/root certificates appended. You will need to test this - I'm not sure if it will work.


Alternatively, on version 13.1.0.x, you could enable In-TMM Monitoring


K11323537: Configuring In-TMM monitoring


This new feature allows TMM-based HTTPS monitors to use an existing server-SSL profile to establish SSL/TLS to a pool member.


However - this comes with a caveat...


Once you enable In-TMM monitors via the db variable, you will need to update all existing HTTPS monitors to use a suitable server-side ssl profile. There is no current migration process from bigd (OpenSSL-based) settings to TMM (F5 crypto) monitor settings, and unmodified HTTPS monitors will fail in the config due to an incompatible cipher string.




In addition to the reply of @Simon_Blakely I want to add,  that with In-TMM monitoring the healthchecks will definitely be send through TMM interfaces only.

Before it was possible, that a healthcheck went out through the MGMT interface in case there was a better route to the node.

With In-TMM monitoring you now have the ability to use SNI (server name indication). Previous TMOS versions required using external monitors to get this done.