Forum Discussion

Subrun's avatar
Subrun
Icon for Cirrostratus rankCirrostratus
Apr 09, 2019

SSL Cert need to import at Server Side as well when Only Client SSL configured at F5 ?

hello all ,

 

i am doing cert renew task for one of my clients application. for that I created the csr from F5 and provided to other team and in return they provided me the SSL Cert with Public Key.

 

Now Application team is saying they need to import the cert as well at server side and restart their application while I will be renewing the ssl cert to the corresponding ( while creating new ssl profile with the new cert ) F5 VIP.

 

my qestion is if it is Client SSL with no Server SSL in F5 why do application team need to install/import the cert at server side ? then what is the meaning of CLIENT SSL ?

 

application delivery
LTM

2 Replies

Sort By
  • rob_carr's avatar
    rob_carr
    Icon for Cirrostratus rankCirrostratus
    Apr 09, 2019

    The Client SSL profile is responsible for managing encryption between the client and the BIG-IP, while the Server SSL profile is responsible for managing encryption between the BIG-IP and the resource server.

     

    If you are using a Client SSL profile but not using a Server SSL profile, your traffic is encrypted between the client and the BIG-IP but not between the BIG-IP and your resource servers.

     

    If traffic between the BIG-IP and the application servers isn't encrypted, your application servers don't need a certificate installed.

     

  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    Apr 09, 2019

    Hi,

     

    to summarize you have a backend server that listens in HTTP. so you do offload ssl on F5. your question is completely legitimate.

     

    some application listens on 2 different ports http and https. for security reasons the application owner restricts HTTP access to force the user to use the https port.

     

    the reasons can be mutltiples:

     

    • the access to the service passes through the F5 https securely. then in http on the backend server for optimization reasons (knowing that using the https consumes resources).
    • since they have a service that listens in HTTPs. they want to have a valid certificate even if the service is not used (in case of migration on the https port they will already be ready on their side ...)

    in your case you should exchange with the application owner to offer him to do ssl bridge (ssl from client to F5 then re-encrypt from f5 to backend, in order to enhance security).

     

    Keep me in touch if you need more help.

     

    regards