Forum Discussion
they are very good links. For one web site, can we say " CA root cert ----- intermediate cert ----- client cert" should exist in both server and client PC?
Depends on how you setup your VIP. :)
If you are "offloading" 443 -> 80(to server), the VIP will have a certificate configured; the F5 does the heavy-lifting.--encryption and decryption If you setup "pass-through" 443 -> 443 The F5 does not decrypt the traffic, the back-end servers will do the encryption and re-encryption.
--- I think you are referring to the CA Bundle for IIS or Apache / Tomcat?¿ -Pass-through: The Intermediate and Root cert will have to be in the cert store for the certificate trust. -Offloading: The F5 will have to have a CA Bundle configured with Root and Intermediate certificates and not server or client cert. The client receives the server(s) "public" certificate, when accessing HTTPS. The Client certificate may/can be used to authenticate one into the server. i.e. APM authentication
Note: The private certificate is NEVER handed out. Analogy: It is the "key" to your house, you don't want strangers having your key or they can rob you. :)