NimbostratusWe're putting together an LTM config where we're deploying SSL bridging and have received a signed cert from the CA for the Profile SSL (client). Should the cert for the Profile SSL (server) be coming from the servers that are the pool members?
Thanks.
MVPWhere would the cert for Profile SSL (server) come from?
==> F5 System has default certificate "CN=localhost.localdomain" which is used for client & server ssl profile if you don't attach any cert.
Should the cert for the Profile SSL (server) be coming from the servers that are the pool members?
==> No,
NimbostratusThanks for your response. So, we've gotten the cert from the CA and associated it with Profile SSL (client). Where should the cert for the Profile SSL (server) come from aside from using the default cert?
Thanks.
CirrocumulusBigIP works as a full proxy.
That means client side connections are independent from server side connections.
When you configure ssl bridging, the clientssl profile handles the encryption between the users and the virtual server. Thus the settings on that profile are what the users see, with the BigIP's virtual server acting as the server. Whatever settings you put into the clientssl profile (Certificate, Key, Chain, encryption protocols, ciphers, etc.) only affect the side the client sees.
On the server side the BigIP acts as an ssl client to the encryption configured on the servers included on the pool. Unless you have a very particular/specific need, you can just assign the default serverssl profile to the virtual server. If you need to tighten up server side encryption, you can always create a new custom serverssl profile based on the default one, adjust whatever settings you need, and assign it to the virtual server, replacing the default one.
Hope that helps.
AltostratusThanks for your response. I am sorry, but I am still unclear where would the cert that is used in the Profile SSL (server) come from; - would it come from the server as a public cert, so the server would decrypt it using the corresponding private cert?
Thanks.
CirrocumulusThe F5 BigIP will negotiate the encryption to the servers with the certificates installed on the servers.
You can think of it as the browser in your computer connecting to a website. Your browser only negotiates the encryption with the certificate presented by the website.
AltostratusThanks for your reply...