client ssl profile to serverssl pool members each with different certificates

Question

can I have a custom client side ssl profile and use then use the default serverssl profile to negotiate with 5 pool members each with different certificates? I need to encrypt end to end but the pool members use different profiles?

denverrb_326662 · Answer

You could use a wildcard certificate on the client side and then load balance.¬†
Example Here - ¬†
https://clouddocs.f5.com/api/irules/ClientCertificateCNChecking.html?lc=1¬†

rob_carr · Answer

The certificate offered by the clientssl profile and the certificates offered by the application servers don't have to be the same.  Along with that, by default the serverssl profile doesn't verify certificates by default, so having different certificates on each of your application servers isn't necessarily an issue.&nbsp;
If you do want to have certificate verification between the BIG-IP and the backend servers, it appears that you can only provide one set of trusted certificate authorities, so you will either need to have all server provided certificates chain to the same CA or use some method of profile switching to change the serverssl profile to match the selected back-end server.&nbsp;

Forum Discussion

client ssl profile to serverssl pool members each with different certificates

2 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Re: Management Certificate

Activate serverssl profile in iRule

My Security+ Certification Journey

Certifications for security professionals

Copper SFP Differences