SSL Renewal / Orchestration?
What are people who use F5 LTM using for SSL ordering/orchestration/renewal? We don't have BIGIP but are running BIGIP Os 16.x.x and I see some integration in the webUI for GOdady, Digicert., etc.. But we mostly use Globalsign / Globalsign API for cert ordering. I'm hoping to have an easy/secure way to renew/order/install certs to the F5 vCMP guests from Globalsign
SSL Server Side Profile
I am looking for some help with SSL Server Profiles. I am looking to decrypt/ASM/re-encrypt If I connect directly to my backend server, everything works I have installed CA cert and configured my SSL client. If I set my backend connections to HTTP and do not apply a SSL server profile, everything works If I then add a custom SSL server, with a parent profile of serverssl I then switch to a pool of HTTPS and get a HTTP error 404 . The requested resource is not found If I remove the server SSL profile and move back, everything is fine. I'm unsure what if anything I am missing: Should I under configuration >> certificate >> key Server Authentication Server certificate >> required >> Trusted cert authorities (what cert do I need here) Any help would be greatly appreciated
Question on configuring SNI clientSSL Profile
Hi Experts , I have a question on configuring the SNI SSL profile .Suppose say I have 3 different certificate and 3 SSL profile to be attached to the VIP to configure SNI . https://www.securesite1.com ClientSSL1 > Default SSL Profile for SNI https://www.securesite2.com ClientSSL2 https://www.securesite3.com ClientSSL3 To enable SNI, we configure the Server Name and Default SSL Profile for SNI will be checked on an SSL profile of ClientSSL1, and then assign the profile to a virtual server. How about on other 2 SSL profiles ClientSSL2 & ClientSSL3 ? For other SSL profiles do I need to type the name for the HTTPS site in the Server Name box ? or it can be left blank ?
Certificate expiry monitoring
Hello Everyone! Would like to ask how you monitor your certs in your F5s? we would like to monitor the certificate expiry on our F5. I am checking our logs on ltm but it seems that the normal certs are not being logged. I only see cert bundles. Can you share how you monitor the certs expiry on f5?Renew BIG-IP device SSL certificate
hello Team, I am going to renew our BIG-IP device SSL certificate, but this time we have GTM so we also need to update the GTM side. This is what I am planning Renew the BIG-IP device SSL certificate via cli on config/httpd/conf/ssl.crt/server.crt Restart the httpd service I am planning to update the GTM via GUI DNS -> GSLB -> Servers -> Trusted Server certificates -> Import -> Append -> paste the new cert Restart the big3d and gtm service Question is, is this correct way? also will this also update my cert on big3d (/config/big3d/client.crt)? If not, do I need to update the cert on big3d? Thank you!INFORM: Entrust CA will be untrusted in Chrome after Oct 31, 2024
If you manage certs from Entrust in your environment, this will impact your Google Chrome users, so intermediate certs will likely need to be bundled to handle this in your clientssl profiles OR if you control all the clients you can assure that explicit trust in the clients is enabled for Entrust CAs. Google details on the situation
Redirect https to https virtual server Certificate question
Hi, i have to redirect a https request to a https virtual server , i have in mind to use an irule as follows: when HTTP_REQUEST { set url [HTTP::uri] if {[regexp {"STRING"} $url]} { virtual /Common/MyVirtual } } To do so , i have to set the HTTP profile (client) to http to be able to assing the corresponding Irule to the VS, but requests doesnt work as i have to select the SSL Profile , here the problem. i created a new SSL client profile and tried to set the Certificate Key chain, but doesnt work ( i think i did it wrong) The source https request is using a certificate, that i can see already stored at the F5 , inside file ca-bundle.crt , also from the source server i was able to get the certificate and tried to create a new certificate , but doesnt work , i think i'm missing the key or something. When creating the certificate it's mandatory to generate it as Certificate Authority? or it can be self? Note: i'm not very good at certificates with F5 , i know how to create irules, manage the F5 and so on .. but i'm lost with the certificates part. Thanks in advance.
LTM SSL handshake failuer (40) with IIS SSL setting Accept
I had an issue that communication from client PC failed with one of pool members. Clinet PC can directly access to the problem member without any issue. If it is accessed through VS, the failure happened. As investigated with packet capture, following error caused the communication failure. Transport Layer Security TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure) Content Type: Alert (21) Version: TLS 1.2 (0x0303) Length: 26 Alert Message Level: Fatal (2) Description: Handshake Failure (40) As I investigated, I found the problem member's IIS SSL setting is set as "Accept". Other working members are set as "Ignore". As I changed the setting to "Ignore", the problem was gone. The IIS SSL setting "Accept" is to accept clinet certificate if it is provided by client. If client did not provide client cetificate, IIS still establish connection. On the VS, SSL server profile is used. the profile setting is almost default. Do you know why BIG-IP fails the SSL communication if the IIS SSL setting is "Accept"?
How to store a certificate in the configuration file?
Documentation for ngx_http_ssl_module says that it's possible to store the certificate (and the key) in variables. The value data:$variable can be specified instead of the file (1.15.10), which loads a certificate from a variable without using intermediate files. Note that inappropriate use of this syntax may have its security implications, such as writing secret key data to error log. Which is implying it's possible to store the certificate value in the variable. I'm trying to guess how to do it and can't find the proper way. I've tried: set $ssl_cert "-----BEGIN CERTIFICATE----- MIIDHDCCAgQC ... -----END CERTIFICATE----- "; and set $ssl_cert "application/x-pem-file;-----BEGIN CERTIFICATE----- MIIDHDCCAgQC ... -----END CERTIFICATE----- "; Both didn't worked. What is the syntax for storing PEM file in the variable?
