Forum Discussion
8 Replies
- AJ_01_135899Cirrostratus
The key is the private cryptographic information used for encrypting traffic.
The certificate is the public cryptographic information used for encrypting traffic.
https://en.wikipedia.org/wiki/Public-key_cryptography
If you want to terminate SSL on your F5, you need both the key and certificate installed and configured in an SSL profile. Depending on your use case you may need an intermediate certificate configured in your SSL profile as well, which the Certificate Authority can provide.
Hope this answers your question!
- eesun_276598Cirrus
Thank you so much for your reply.
"If you want to terminate SSL on your F5"
What does this mean for "terminate"? Here is my understand for it: Usually user PC contact server directly. If we put a F5 between the server and user PC, all ssl process would be moved from the server to the F5. That means terminate SSL on my F5, right?
- Vijay_ECirrus
Yes, if F5 deals with SSL processing, SSL is terminated on the F5.
- eesun_276598Cirrus
Thank you so much for confirming this for me. Can we say in any cases, once the certificate need to import to F5, the Key also need to import to the F5? If so, why do not put the certificate and its key together, and then import it for one time?
- Deep_287674Nimbostratus
Ssl offloading is done on f5 because F5 is acting as full proxy. While uploading certificate key is required to authenticate the certificate.
- eesun_276598Cirrus
So, after we import certificate and its intermediate certificate, we still need to import one key for the "two" certificates, right? Thank you
- Deep_287674Nimbostratus
You import the ssl certificate in Big ip by going to File management-ssl certificate-add. It will ask for key once you import the certificate.After saving. Create ssl profile by going to security - ssl profile Create the profile, map the certificate and key . Keep the default chain .
- janholtzAltostratus
The certificate provides an algorithm to ENCRYPT the traffic, with an assurance that the traffic can only be DECRYPTED by the holder of the private key.
You are effectively handing out padlocks to anyone that asks for it (and that padlock has a signature on it that tells the user that it was sourced from a trusted entity).
The client trusts that the person handing out the padlocks is the same one that has the key to unlock it.
BR Sproggg