Forum Discussion

14 Replies

  • Hi,


    Do you mean client authentication via certificate? If so it's quite easy. You have of course terminate SSL on VS using clientssl profile. In the profile you have part named Client Authentication. Actually what you need to populate Trusted Certificate Authorities (with certificates or certificate chains that can validate client certificate send during ssl handshake). To enable just set Client Certificate to require. If you search AskF5 there are at least few articles with more details.




  • Hi Piotr, your answer not work for me. I have configured for my server one way ssl, now I want to configure 2 way ssl autenthication for it. Thank you.


  • Hi,


    Client ---- > F5 ---> Server


    Client to F5 --Use client SSL profile F5 to server --use Server SSL profile


    Please let me know if any more information is required.


  • How to configure those profiles client and server, I have 2 certificates and the chain certificate. Thanks. I am new in F5 Big IP. (((


  • Generate CSR: Login to F5 active device 


    Go to System ›› File Management : SSL Certificate List Click create button and update the details as mentioned below Note: In common name you need to mention FQDN name. If it is not a wildcard certificate then you need to mention as FQDN name. If it is wild card mention * before FQDN. Always select key size as 2048.


    B. Download the CSR file and send to vendor


    C. Vendor will provide following certificates.


    Website certificate --This one you need to import . AddTrustExternalCARoot . UserTrustSAAddtrustCA . Trusted Secure Certificate Authority


    D. Now import the certs as mentioned below. System ›› File Management : SSL Certificate List ›› Import


    E.Key import details are mentioned below. System ›› File Management : SSL Certificate List ›› Import


    Both Cert and key should be same name


    Once cert, key and intermediate certs are imported we need to create SSL client profile


    F.Configure new SSL certs under Client profile


    Create a new profile as mentioned below


    Go to Local Traffic ›› Profiles : SSL : Client In Certificate, key and chain select the files which you created Then click Add Once certificate key chain is update, click finished


    Most of the times you need to update intermedaite certificate. Then you need to bundle certificates other than website certificate and import and call in SSL client profile chain section.


    For Server SSL just assign default existing profile (serverssl-insecure-compatible)


  • I received only web site certificate and chain certificate for this task - 2 way ssl. chain certificate validates the origin of the certificate. the one way ssl was configured already. Explain me please step by step how to configure 2 way ssl for my VS ip:443 only. What must I do with website certificate and chain certificate? I have configured sslclient for my virtual server, but this client was created for one way ssl. I am not able to attache more ssl client profiles to my VS.


    • RaghavendraSY's avatar
      Icon for Altostratus rankAltostratus

      If you want to configure server SSL certificate:


      Go to local Traffic > Virtual server > Click on virtual server > go to configuration section > in server ssl profile >move serverssl-insecure-compatible from available to selected


      If you want to configure client ssl certificate:


      You need certificate and key along with chain certificate. Please confirm whether you have all 3 certificates?


    • Gicu_337843's avatar
      Icon for Nimbostratus rankNimbostratus

      Mr, I want to configure 2 way ssl autenthication for my virtual server Please explain by steps : 1. 2. n.


      only how to configure 2 way ssl autenthication - not more


    • Gicu_337843's avatar
      Icon for Nimbostratus rankNimbostratus

      I think you didn't understand me. I have a virtual server ex. I have 2 sites on it. I configure one way ssl for my VS:created sslclient profile, added certificate, key, chain and bind it to my VS. Now I want to configure 2 way ssl for this VS, when we need the public certificate only. customer sent me a certificate and chain certificate - 2 files only. (we need only client authentication with certificate, where it is not required the Key, because we need to trust only the public certificate that client send to us the key (private key) remains always to the certificate owner, never exchange them) so we need to find a way to import them and tell to the our server to ask for the client certificate