Forum Discussion

Sanoop_Kuniel_8's avatar
Sanoop_Kuniel_8
Icon for Nimbostratus rankNimbostratus
Jul 08, 2010

Moving from IHS to F5

We currently have two IBM IHS servers serving contents to two different applications using SSL (two different domains, two different SSL certs). Something like..

 

 

https://domain1/context1 -> webserver1

 

https://domain2/context2 -> webserver2

 

 

We would like to start using F5 to route traffic to different webservers based on the url context, hence we would like it to be something like this

 

 

https://F5-vip-domain1/context1 -> https://webserver1/context1

 

https://F5-vip-domain1/context2 -> https://webserver2/context2

 

 

Now the problem that I am having is with the SSL certs. I want to move over the SSL certs from the webserver to the F5 but, when I try to setup a clientssl profile, it asks me for a key, all i have is an SSL cert received from verisign. Secondly, I understand that SSL between F5 -> webserver can use self signed certs, is that correct?

 

 

TIA

 

application delivery
dev
devops
iRules

2 Replies

Sort By
  • nassahla_65866's avatar
    nassahla_65866
    Icon for Nimbostratus rankNimbostratus
    Jul 08, 2010
    we are in the process of migrating to F5 as well from Cisco CSS, we ran into challenges using the same cert, as a result what we ended up doing was generating a CSR with a Key on the LTM , then using that CRS we generated , we acquired a certificate from Verisign which came with an intermediary. What i will suggest is go back to Verign have them revoke the Cert they assigned you then Generate a CSR with Key then have them issue a new Certificate.Hope that helps...

     

  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jul 08, 2010
    You can probably export the SSL private keys from the existing server(s) they're installed on. You can convert the cert and key to PEM format using openssl. Else, you could do as nassahla suggests and generate a new key and ask for a new cert from the CA.

     

     

    And yes, you can use a self signed cert on the server. With a default server SSL profile, LTM doesn't do any validation of the server cert so it doesn't matter who the issuer is.

     

     

    Aaron