SSL server vs client profile

You will most commonly assign your web servers SSL Certificates to a Client SSL profile by importing the associated SSL certificate and Key into the BIG-IP and assigning them to the custom Client SSL profile that will be assigned to the Virtual Server load balancing this traffic.

The Server SSL does not typically contain any SSL certificates or keys as can be seen when viewing the default serverssl profile configuration settings for Certificate and Key which state "None." I highly recommend reviewing the following articles for a better understanding of the differences between these 2 SSL profiles:

SOL14783: Overview of the Client SSL profile (11.x - 12.x)

SOL14806: Overview of the Server SSL profile (11.x - 12.x)

you have to look at these from a big-ip point of view, like this:

client side - [client ssl profile ] - big-ip - [server ssl profile ] - server side

the users (clients) are on the client side, their connection is handled by the client ssl profile

the pool members (your actual (web) servers) are on the server side, their connection from the big-ip is handled by the server ssl profile.

so where do certificates matter the most, that is the client side, so in the client ssl profile, that is the certificate that you will see in the browser (for https servers).

unused certificates (so which aren't used in a client or server ssl profile) can be deleted if you are sure they aren't needed any more. on the other side, they don't really hurt you unless you got insane amounts. if they are used you can not delete them.

This is my understanding. There is Authentication setting such as "required", "ignore", "request" where "Required" & " ignore" are mostly used. "Required" : you must put a real cert in the setting since both F5 and the client or server have to verify the CA(depending which ssl profile). "Ignored" : you don't have to put a real cert, "default" can be used as the cert/key since F5 will not verify the cert or the CA. The cert/key used in the ssl profile settings are for verification process only, not for ssl encryption/decryption purpose. The symmetric key used for encryption are generated in separate process. The key/cert are for verification to establish the SSL connection, if verification fails, the ssl connection will not be established. As to whether you need client or server SSL profile depends on your need to verify the client or the server. F5 will act as a proxy to accelerate and take the load of the authentication process and ssl encryption/decryption, rather than having the backend to do all these to each client individually if F5 is not there.

Thanks! This was helpful and allowed me to verify functionality.