Forum Discussion

DC_Jordan_18536's avatar
DC_Jordan_18536
Icon for Nimbostratus rankNimbostratus
Sep 01, 2015

SSL offload - pfx certificate

I import pfx certifcate in f5 and it is included certificate and key , when associate this certifcate ((client ssl)) site is not working (when i removed from virtual server under client ssl , site is working normally) Please advise

 

I have other question , shall i meed to remove certifcate from iis on server ?!?

 

15 Replies

  • If your pool members are HTTP(port 80) you can just have the clientssl profile. If your pool members are HTTPS(port 443) you will also need a serverssl profile to re-encrypt since your servers are listening on 443.

     

  • Servers are using https (nodes) so please can you advise , what is server ssl?!? Can iuse same cer and key that use for ssl client?!

     

  • I want to thank you for your support .

     

    So i need just to add default server profile that used in f5 is that right ?!?

     

    From server side i do not need to remove certficate is that right?!?

     

    I have question , when i asked ststem admin to downlad certificate from (symantec) , he choose f5 as server and symantec provide us two cert (x.cert and intermediate CA)this make me be confused?!??

     

    But i entered on MMC (windows) and i export certificate with private key in x.pfx , is that good procedure?!?

     

    • Brad_Parker's avatar
      Brad_Parker
      Icon for Cirrus rankCirrus
      yes, default serverssl profile will work. Do not remove the cert from the server. Yes, you can export the pfx from the mmc, but I would recommend including the chain by checking "Include all certificates in the certification path if possible" when exporting.
  • Thanks again , so for server ssl , i will go under virtual server and add server ssl and add default profile,is that right?!?

     

    I will try tomorrow to export x.pfx as you mentioned above .

     

    I have question if i am not include chain , this will make problems?!?

     

    If iam i am used x.pfx without check your option and use inermediate ca that provided by symantic , is that right?!?

     

    So i do not need to useopenssl to convert x.pfx to cert and key , is that right?

     

    I am so sorry if i am asking a lot

     

    • Brad_Parker's avatar
      Brad_Parker
      Icon for Cirrus rankCirrus
      yes, default serverssl profile. You need the chain in some way on the F5 in the clientssl profile or else users will get errors. If you only export the cert and key in the pfx you can add the intermediate in the "chain" drop down in the clientssl profile. No you do not need to convert the pfx. F5 can natively import the pfx.
  • I will try your recommendations and advice tomorrow ,

     

    I have last question , when export certifcate to x.pfx , it is ask for password , this password will be used when import certifcate to f5 just (file managment ssl prifile) no need for this password when go under profiles client ssl , passphrase is that right?

     

    • Brad_Parker's avatar
      Brad_Parker
      Icon for Cirrus rankCirrus
      no you don't need a password in the clientssl profile unless you choose to secure the key on the F5 when importing it. The password when exporting is just used to import into the F5 or anything else you are importing it into.
    • Brad_Parker's avatar
      Brad_Parker
      Icon for Cirrus rankCirrus
      no you don't need a password in the clientssl profile unless you choose to secure the key on the F5 when importing it. The password when exporting is just used to import into the F5 or anything else you are importing it into.
  • Thanks you very much , i hope tomorrow , every thing is working based on your advice :)

     

  • i had somewhat of the same problem, and i had to change my .pfx ext to .crt and that got imported just fine with out any issues.

     

  • It is working now , thanks brad .

     

    Note : it is working when i choose in server ssl (apm-defaulr-server) other profile are not working , do u have any idea

     

  • Brad just a wuestion why just apm-default-server profile is working other onne are not working