Forum Discussion

Poseidon1974's avatar
Poseidon1974
Icon for Cirrostratus rankCirrostratus
Feb 08, 2023

SSL profile client

Hi,

I have a configuration with VS in https, the backend server carries a certificate, I have configured standard F5 SSL profiles (client/sever), however when the client accesses VS, he has an unsecured connection message in his browser , I think the error would come from the autosigned (defautl) certificate on F5 ? ,  how to erase this message, it is constraining for the user.

Thanks 

6 Replies

    • Poseidon1974's avatar
      Poseidon1974
      Icon for Cirrostratus rankCirrostratus

      H,

      Really thanks , so question , therefore, it is impossible to bypass the error message displayed on the browser without adding a certificate on the F5, is it mandatory? there is no other solution without adding the certificate on the F5, because we already have one on the backend server ? 

      Thanks

      • Ichnafi's avatar
        Ichnafi
        Icon for Cirrostratus rankCirrostratus

        If you don't need to terminate a SSL session on the F5 (for example to look into the http headers, manipulate content, oder do some irule shenanigans like url base loadbalaning, you don't neet to do ssl on the f5 at all.

        Just use a Performance Layer (Layer 4) type for your VS and the F5 will only do Layer 4 Loadbalancing. You are then a bit of limited in things like load-balancing and persistence. Also TCP optimizations towards client and server are not possible.
        Keep in mind, that the VS type will handly traffic differently and you might loose some features.

        Overview of all types: https://my.f5.com/manage/s/article/K55185917
        Overview of how TCP is handled by the different VS: https://support.f5.com/csp/article/K8082

         

  • Yes, that because of the self signed certificate, that the clients browser gets presentet. You have to deliver a propper certificate and chain for your service.

    • Import a propper certificate and chain on the F5
    • Add the certificate and chain to your client-ssl profile (under Certificate Key Chain)
    • Poseidon1974's avatar
      Poseidon1974
      Icon for Cirrostratus rankCirrostratus

      Hi ,

      Thanks for your answer, 

      I could import the existing certificate in the server and add it in F5? could you tell me how to do it and what is the procedure?

      Thanks,