Question on configuring SNI clientSSL Profile
Hi Experts , I have a question on configuring the SNI SSL profile .Suppose say I have 3 different certificate and 3 SSL profile to be attached to the VIP to configure SNI . https://www.securesite1.com ClientSSL1 > Default SSL Profile for SNI https://www.securesite2.com ClientSSL2 https://www.securesite3.com ClientSSL3 To enable SNI, we configure the Server Name and Default SSL Profile for SNI will be checked on an SSL profile of ClientSSL1, and then assign the profile to a virtual server. How about on other 2 SSL profiles ClientSSL2 & ClientSSL3 ? For other SSL profiles do I need to type the name for the HTTPS site in the Server Name box ? or it can be left blank ?
Certificate expiry monitoring
Hello Everyone! Would like to ask how you monitor your certs in your F5s? we would like to monitor the certificate expiry on our F5. I am checking our logs on ltm but it seems that the normal certs are not being logged. I only see cert bundles. Can you share how you monitor the certs expiry on f5?serverssl cipher suites
Hi, Is there an easier way to know what are the cipher suites that the backend server (pool member) can support? I have read an article but it requires to create a script. I know there is openssl but this will only show the cipher that the backend server used to communicate back with F5. So I was thinking like if from F5 perspective will it be able to perform an sslscan what are the available ciphers suites the backend server can support? Thanks, and regards, Rechie
Missing Certificate after redirect
We have a requirement for any calls coming into https://abc.com to be redirected to Azure APIM https://apim-xyz.com/api A simple following rule has been setup in F5 for calls coming into https://abc.com when HTTP_REQUEST { HTTP::respond 307 Location "https://apim-xyz.com/api" } But the problem we are facing is with client certificate. After the redirect, the client certificate is no longer available and new URL "https://apim-xyz.com/api" is not able to validate the request. We have no control over the client. We can control F5, redirect and server. Any help would be greatly appreciated.
iQuery/ Big-IP DNS server certificate trust problem
Unable to establish iQuery between bigip devices. Connectivity is in place but failing with: SSL error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed I take this to be a certificate chain failure. The device certificates have been added to both DNS > GSLB > Servers > Trusted Server Certificates and System > Cert Mgmt > Device Cert Mgmt > Device Trust Certs. Yet, still no joy, running openssl confirms trust issues. Device certs are issued by a 2 tier PKI (intermediary and root). Big IP is 13 HF 2. Any suggestions? Is it common place to be using internal certs here?How to Create a CSR in Powershell/iControl using an Existing Key
Hello, I am trying to automate CSR creation on the BigIP with iControl/Powershell. I can easily create new CSRs using new keys, but I can't figure out how to generate a CSR using an existing key. We need to do this so that we can update our SAN certs without invalidating the existing Certificate/key pair while we process the request with our provider. I use this to create a new key for a brand new CSR/Certificate request ... $CSRKey = New-Object -TypeName iControl.ManagementKeyCertificateKey_v2; $CSRKey.id = 'www.sitename.com'; $CSRKey.key_type = 'KTYPE_RSA_PUBLIC'; $CSRKey.bit_length = 2048; $CSRKey.security = 'STYPE_NORMAL'; ... but I can't find any functions in the iControl Reference Wiki to grab an existing key to use for the CSR. Can anyone point me in the right direction? Thanks!, Sean
Windows 2012 CA certs for F5
Hi all, as we have to move our Certificates to SHA2 we have a new Windows 2012 CA server. After creating new Web certs from the new CA server, we had "Connection Closed" on different browsers when trying to reach the VIPs on port 443. The SSL client certs ciphers have been left as default. There's no irules and the VIPs are standard. When I put back the Windows 2003 CA certificates, it's working. I run the open ssl below and found that no certificates is shown with the new CA certs. I have compare both certificates and there's no difference in the properties that I can see other than the sha1 & sha2. Would anyone be able to advise what might be missing from our new CA server templates configuration ? [adm@Host:Active:Changes Pending] ~ openssl s_client -connect 172.20.50.20:443 CONNECTED(00000003) 47898972639784:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 277 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- I check on both the certificate and key and there's are the same`` [adm@Host:Active:Changes Pending] certificate_d openssl x509 -noout -modulus -in /config/filestore/files_d/Common_d/certificate_d/:Common:Test.crt_77214_1 | openssl md5 (stdin)= 5773260e200ee58e7c89ae5a374d9a64 [adm@Host:Active:Changes Pending] certificate_key_d openssl rsa -noout -modulus -in /config/filestore/files_d/Common_d/certificate_key_d/:Common:Test.key_77211_1 | openssl md5 (stdin)= 5773260e200ee58e7c89ae5a374d9a64
