LTM SSL Profiles issue

Question

Hi all,&nbsp;
Happy new year.&nbsp;
I have a website hosted on a Windows IIS server and want to publish it with SSL certificate.
what are the configuration steps should I do on the F5 ? and what is the profile should I use client or server ?
also what are SSL certificates will be added on the F5 by the way I get the certificate.pfx from the web server ?&nbsp;
another question what are the certificates should I add on the F5 if I will use an USB-token to authenticate the clients ?&nbsp;
Thanks&nbsp;

nathe · Answer

Tamer,&nbsp;
In brief, to terminate the SSL connection you will need a Client SSL Profile configured and applied to the Virtual Server. If you need to re-encrypt to the backend webserver then you would also need a Server SSL Profile configured and applied to the Virtual Server (note, most times the default serverssl profile will work fine).&nbsp;
You will need to export the cert/key from the existing web server, import onto the BIG-IP and associate with the new Client SSL Profile.&nbsp;
Client certificate Authentication will require the Trusted CA certificate configured on the BIG-IP, perhaps a Root or Intermediate CA cert. Normally this would be from an internal PKI. You just configure the Client SSL profile to accept client certs signed from a particular Trusted Authority.&nbsp;
See the following links for more granular help:&nbsp;
Managing SSL certificates for BIG-IP systems using the Configuration utility&nbsp;
Overview of the Client SSL profile&nbsp;
Hope this helps,&nbsp;
N&nbsp;

tamer_ezzat_235 · Answer

Hi Nathan,&nbsp;
Thanks for your support&nbsp;
So I will import the certificate.pfx file and create SSL client profile only OK that is fine&nbsp;
and for Client certificate Authentication I will add in addition to the above certificate.pfx  I will add the Trusted CA certificate Root or Intermediate CA cert.&nbsp;
I will try then and will keep you updated.&nbsp;
One more thing: each website should has a Trusted CA certificate - root CA or not ?
should I create a root CA for each website ?&nbsp;
Thanks for your help&nbsp;

nathe · Answer

an intermediate should be fine, whatever has signed the client certificate

tamer_ezzat_235 · Answer

OK
Thanks I will do that and will update you&nbsp;

tito_110_241800 · Answer

Hi Nathan,&nbsp;
Thanks so much for your support&nbsp;
It worked&nbsp;
I created a SSL client profile using the certficate.pfx , and created SSL server profile using  the default serverssl profile.&nbsp;
Many thanks to you&nbsp;

Forum Discussion

LTM SSL Profiles issue

6 Replies

Recent Discussions

F5 Rseries R2600 Tenant sizing

Can iRule mask the payload content on event logs of security

Pricing when used with aws waf

iRule help masking IBM host URL/URI

Need advise to setup a policy on F5

Related Content

Parsing F5 BIG-IP LTM DNS profile statistics and extracting values with Python

Rewrite profile statistics in ltm

iControl REST Cookbook - Virtual Server Profile (LTM Virtual Profiles)

list ltm profile

LTM Diameter iRules and Profile Configurations with Support for Server Initiated Request