NimbostratusIf the VIP is assigned the default server SSL profile "serverssl" with default settings, do I need the cert on the backend servers for that virtual server? If not, why is that so? Under what circumstances do I need the cert on the backend servers?
NimbostratusIf your backend server running SSL you may need to add server ssl profile to Virtual Server. It also meaning you need certificate installed in your backend servers
NimbostratusThank you. So, it means even if I keep the default profile ‘serverssl’ with the default setting for the virtual server , I HAVE TO have the private cert on the backend server(e.g. IIS) and maintain them?
EmployeeAs Quantiti stated, this depends on whether or not you re-encrypt to the backend server. If you don't, then no serverssl profile is required. If you do, then the backend server must possess a server certificate and private key. Normally you'd can't enable an Apache or IIS server for encryption without specifying these.
But it's also important to understand that the cert and key on the backend server doesn't have to be a public, purchased set. You can very easily use a generic internally-crafted cert and key. The default serverssl profile is defined to ignore certificate trust errors.
EmployeeSSL/TLS encryption relies on certificates and private keys. Any server that wants to do TLS MUST possess a certificate and associated private key. However, BIG-IP doesn't care what cert and key you use on the internal application server, as it will ignore any untrusted cert warnings. You can literally attach an internally-created self-signed cert and key to the web server that doesn't expire for 42 years.
CumulonimbusHi,
In your VIP if you assign a ssl server profile that's mean that your backend servers use a ssl certificate. When you set a ssl server, you tell F5 that the server backend has an SSL certificate and therefore it is necessary to communicate with your backend by using the SSL / TLS protocol.
F5 explanation: The BIG-IP Server SSL profile enables the BIG-IP system to initiate secure connections to your SSL servers by using a fully SSL-encapsulated protocol and providing configurable settings for managing server-side SSL connections.
And to answer to your question, If you set a ssl server on your VS you must have a certificate on your backend otherwise it will not work. And vice versa if you do not have a SSL profile n your VS, your backend server must not have a certificate (ie use the TLS / SSL protocol).
regards,
NacreousYou require a certificate on your backend server when you want to encrypt the communication from the F5 to your backend server. Typically you would have a client SSL certificate too, encrypting communication between the client and the F5. This is commonly known as 'end-to-end encryption'.
You will need to maintain certificates on both your F5 (client-ssl) and separately on your web server.
You can use the server-ssl profile to instruct F5 that the backend is using encryption and to initiate a TSL handshake.
If you don't have certificates on the bankend server, you do not need a server-ssl profile. You would simply terminate SSL on the VIP and send un-encrypted traffic to the backend. This is typically known as 'SSL offload'