How to Implement 2 Way SSL in F5 LTM

Hi,

Do you mean client authentication via certificate? If so it's quite easy. You have of course terminate SSL on VS using clientssl profile. In the profile you have part named Client Authentication. Actually what you need to populate Trusted Certificate Authorities (with certificates or certificate chains that can validate client certificate send during ssl handshake). To enable just set Client Certificate to require. If you search AskF5 there are at least few articles with more details.

Piotr

Hi Piotr, your answer not work for me. I have configured for my server one way ssl, now I want to configure 2 way ssl autenthication for it. Thank you.

Hi,

Client ---- > F5 ---> Server

Client to F5 --Use client SSL profile F5 to server --use Server SSL profile

Please let me know if any more information is required.

How to configure those profiles client and server, I have 2 certificates and the chain certificate. Thanks. I am new in F5 Big IP. (((

Generate CSR: Login to F5 active device 

Go to System ›› File Management : SSL Certificate List Click create button and update the details as mentioned below Note: In common name you need to mention FQDN name. If it is not a wildcard certificate then you need to mention as FQDN name. If it is wild card mention * before FQDN. Always select key size as 2048.

B. Download the CSR file and send to vendor

C. Vendor will provide following certificates.

Website certificate --This one you need to import . AddTrustExternalCARoot . UserTrustSAAddtrustCA . Trusted Secure Certificate Authority

D. Now import the certs as mentioned below. System ›› File Management : SSL Certificate List ›› Import

E.Key import details are mentioned below. System ›› File Management : SSL Certificate List ›› Import

Both Cert and key should be same name

Once cert, key and intermediate certs are imported we need to create SSL client profile

F.Configure new SSL certs under Client profile

Create a new profile as mentioned below

Go to Local Traffic ›› Profiles : SSL : Client In Certificate, key and chain select the files which you created Then click Add Once certificate key chain is update, click finished

Most of the times you need to update intermedaite certificate. Then you need to bundle certificates other than website certificate and import and call in SSL client profile chain section.

For Server SSL just assign default existing profile (serverssl-insecure-compatible)

I received only web site certificate and chain certificate for this task - 2 way ssl. chain certificate validates the origin of the certificate. the one way ssl was configured already. Explain me please step by step how to configure 2 way ssl for my VS ip:443 only. What must I do with website certificate and chain certificate? I have configured sslclient for my virtual server, but this client was created for one way ssl. I am not able to attache more ssl client profiles to my VS.