F5 - SSL offloading and intermediate Certificates

The concept of the ssl offloading is very simple, we perform the encryption before reaching the end server,
in other words let's say we have a Data Center with 50 Web servers, we want to make the data more secure by implementing SSL encryption on our HTTP data, at this point we can configure each server to work with https OR we can add a device that adds the SSL on an outgoing packet and removes it from the once coming back, that way our traffic is secured and we save on server resources.

before getting to the configuration part i want to spend a moment on the CA-Bundle or also known as intermediate Certificates .. There are some CA's out there that in order to use them we have to append an Intermediate certificate to the  Certificate we have, the intermediate is sort of a reference of our CA pointing it to the root that will verify it, in other words it's the certificate of the CA that authorized our certificate.
for example some browsers will not have the root of Go-daddy even though they're CA is well known and authorized so in case a website using one of there certificates (but no intermediate is installed)  will be accessed by and old browser it will show the certificate is not verified and we'll have an error message accessing.

Using the intermediate in the F5 is very simple, all we need to do is import it to the device and append it in the client profile as "Chain Certificate"

Importing the Certificate to the device:
System > File Management > SSL Certificate List > Import

We'll group the intermediate to the certificate and the key using a Profile
Local Traffic > Profiles > SSL > Client

Name the Profile mark Certificate, Key and Chain
Certificate is the certificate we just loaded
key is the private key associated to the certificate, in case we uploaded the certificate that includes the key (for example a 'p12') choose the certificate
and the Chain is the intermediate certificate of our CA

Now all we have to do is apply the Profile on the wanted traffic by adding it to the appropriate virtual server
Local Traffic > Virtual Server

Basic config, Name IP and port

Just need to make sure we choose an HTTP profile and the SSL profile we have configured earlier.

Don't forget to point the Virtual server to the pool you need,
other than that we're all done.

Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR


Post a Comment