Forum Discussion
8 Replies
- Shaun_Simmons1Altostratus
Need a little clarification of what you are trying to accomplish. How are your VIP and SSL profile(s) configured?
- eesun_276598Cirrus
I am trying to understand the certificate chain, and trying to know the concept
- Shaun_Simmons1Altostratus
Check out these links, they may help clarify.
https://support.f5.com/kb/en-us/solutions/public/0000/700/sol788.html
https://docs.nexcess.net/article/what-is-a-chain-of-ssl-certificates.html
- eesun_276598Cirrus
they are very good links. For one web site, can we say " CA root cert ----- intermediate cert ----- client cert" should exist in both server and client PC?
- Shaun_Simmons1Altostratus
Depends on how you setup your VIP. :)
If you are "offloading" 443 -> 80(to server), the VIP will have a certificate configured; the F5 does the heavy-lifting.--encryption and decryption If you setup "pass-through" 443 -> 443 The F5 does not decrypt the traffic, the back-end servers will do the encryption and re-encryption.
--- I think you are referring to the CA Bundle for IIS or Apache / Tomcat?¿ -Pass-through: The Intermediate and Root cert will have to be in the cert store for the certificate trust. -Offloading: The F5 will have to have a CA Bundle configured with Root and Intermediate certificates and not server or client cert. The client receives the server(s) "public" certificate, when accessing HTTPS. The Client certificate may/can be used to authenticate one into the server. i.e. APM authentication
Note: The private certificate is NEVER handed out. Analogy: It is the "key" to your house, you don't want strangers having your key or they can rob you. :)
- eesun_276598Cirrus
Please see the below two options in F5, F5 is proxy for the server behind it, why the step has two options: Client and Server?
Local Traffic ›› Profiles : SSL : Client >>>
Local Traffic ›› Profiles : SSL : Server >>>
- Shaun_Simmons1Altostratus
Local Traffic ›› Profiles : SSL : Client >>> Refer to: https://support.f5.com/kb/en-us/solutions/public/14000/700/sol14783.html
The BIG-IP Client SSL profile enables the BIG-IP system to accept and terminate client requests that are sent using a fully SSL-encapsulated protocol and provides a number of configurable settings for managing client-side Secure Socket Layer SSL connections.
Local Traffic ›› Profiles : SSL : Server >>> Refer to: https://support.f5.com/kb/en-us/solutions/public/14000/800/sol14806.html `The BIG-IP Server SSL profile enables the BIG-IP system to initiate secure connections to your SSL servers by using a fully SSL-encapsulated protocol and providing configurable settings for managing server-side SSL connections.
- eesun_276598Cirrus
Excellent explanation! Thank you