Forum Discussion
Jason_Keating
Sep 08, 2010Altostratus
The way I see it, you would have to generate 2 certificates on the load balancer, one to give to the client making the request, the other you would install into the Directory Server which would serve as a node in a pool on the big IP.
The cert for the node should result from a private key and csr on the node subsequently signed by a CA the LTM trusts. Of course its possible to skin this cat many different ways by exporting private keys etc but I'd keep it simple and stick to best practice.
Assuming you have the client_ssl profile running and only the server_ssl side to sort out check your CN matches the name resolved for the node and that the LTM trusts the signatory. Oh, and use 'openssl s_client' for debugging ssl client connections, it will save you hours and hours and hours of time.