Forum Discussion

Tobias_377874's avatar
Tobias_377874
Icon for Nimbostratus rankNimbostratus
Nov 28, 2018

Resign certificate for clients to server with SSL Offload?

Hi!

 

I would like to resign certificate when a client hits on of our webservers. Im not sure if i need SSL Forward proxy or can do this with SSL Offfload/Termination?

 

Client goes to ";, F5 use certificate "A" to the client which is self-signed by F5. This i have placed in Client SSL profile. F5 then contact the server and use certificate "B", which i have in a Server SSL profile . I have both cert/key for both A and B but dont get this to work with SSL Offload/Termination. So i really not doing any Offloading per say, just cert resign. Is it possible? I get Handsake failuer everytime i try.

 

As i understood this is very easily done with SSL Forward Proxy(which require extra license).

 

Best Regards, Tob

 

1 Reply

  • SSL Forward Proxy is intended for outbound (forward proxy) connectivity, where you do not own the server and its certificates. In this case, SSL Forward Proxy forges (resigns) the remote server certificate to internal clients. So for example, an internal client surfing to https://www.google.com would get a Google certificate resigned by a local CA.

     

    I believe what you're asking for is reverse proxy connectivity, where external clients are accessing internal web services. Minimally you need a client SSL profile (client-facing) that contains the certificate and associated private key that are exposed to the client making the HTTPS request. For the server side, F5 to web server, you usually don't need anything here except a generic serverssl profile. The server (web server in this case) possesses the certificate and private key, so the F5 would be the client in this case. You'd only need to insert a cert and key in the server SSL profile if the server required mutual (client certificate) authentication.