Forum Discussion
Greetings Dirken,
I have no background with Windows server, but let me offer some background on BIG-IP, there may be some overlap in behavior?
If you wish to have a server-ssl profile to send a certificate, you must also include the key.
If you wish to have a client-ssl profile send a certificate you must:
- Import the certificate and key.
- Associate the certificate and key with the client-ssl profile.
- Associate the profile with a virtual server.
So in summary, perhaps try importing the accompanying key and ensure whatever service (IIS?) is configured to reference the certificate and key.
Good luck, hope you get this resolved soon!
Kevin
- dirkenJun 06, 2017Nimbostratus
Hi Kevin,
- Kevin_K_51432Jun 06, 2017Historic F5 Account
Hi Dirken,
"the server side is fine, my problem is the client side. The clients connecting to the VS, however, are Windows2016 servers - maybe this created a bit of confusion."
No, that's what I was expecting (Server on client side of BIG-IP). Just to reiterate, when BIG-IP is in the position of your Win2016 server, it will not send a client certificate without the key. It needs both. I'm wondering if that's your problem. Maybe an SSL standard, just a shot in the dark. Also, what service on the Window2016 server is making the connection? IIS or which one? Does it need to reference this key pair?
Lastly, BIG-IP could not pass client certificates when configured to terminate SSL for the longest time. We finally implemented two different SSL proxies and they are able to do this. I wonder if your Windows server has a SSL proxy feature?
Kevin