Forum Discussion

Dazzla_20011's avatar
Dazzla_20011
Icon for Nimbostratus rankNimbostratus
Mar 25, 2011

Server-side SSL

Hi,

 

 

Currently we only do client-side SSL on the F5. I've been asked if we can encrypt the traffic from the F5 to web servers. I know the F5 can do server side ssl so just wonderered if someone could confirm the follwing steps are correct to do this?

 

 

Install a certificate on the web servers, a self signed certificate should be OK.

 

Create a server side SSL profile on the LTM.

 

Apply the SSL profile to the Virtual Server

 

 

It seems very simple, am I correct?

 

 

Also could this have any impact on the ASM as we are just starting to set this up?

 

 

Thanks

 

Darren

 

  • I usually get certificate error whenever I access any page with self signed certificate, will f5 show similar behaviorif you mean serverssl, no if trusted certificate authorities is configured correctly. the default is none which means f5 will accept server (pool member)'s certificate signed by any ca.

     

     

    The Trusted Certificate Authorities setting is optional. This setting is used to specify the CA(s) that BIG-IP trusts when verifying a server certificate. The default value is None, which means the BIG-IP system will accept a server certificate signed by any CA.

     

     

    sol11220: Overview of the Server SSL profile

     

    http://support.f5.com/kb/en-us/solutions/public/11000/200/sol11220.html

     

     

    I just want f5 to recognise the certificate as trusted, could you tell me how can I do this. you have to import ca certificate who signs server (pool member)'s certificate or server certificate itself (in case of self-signed) and set it as trusted certificate authorities.

     

     

    hope this helps.
  • Arie's avatar
    Arie
    Icon for Altostratus rankAltostratus

    Some suggestions:

     

    1. Depending on the security requirements, you may be able to save some cycles by using weaker encryption in the DMZ.
    2. Use the longest expiration the security requirements allow. In my experience many organizations purchase certs with a one-year expiration because of financial/budget consideration and/or uncertainty regarding the life span of the web site. Setting the self-signed cert to expire later saves some administrative overhead.
    3. Use the same self-signed cert in the DMZ for all VIPs if the security requirements allow it.