Manual Chapter : Create a custom Client SSL profile

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 14.1.3, 14.1.2, 14.1.0

BIG-IP APM

  • 14.1.3, 14.1.2, 14.1.0

BIG-IP Analytics

  • 14.1.3, 14.1.2, 14.1.0

BIG-IP LTM

  • 14.1.3, 14.1.2, 14.1.0

BIG-IP PEM

  • 14.1.3, 14.1.2, 14.1.0

BIG-IP AFM

  • 14.1.3, 14.1.2, 14.1.0

BIG-IP DNS

  • 14.1.3, 14.1.2, 14.1.0

BIG-IP ASM

  • 14.1.3, 14.1.2, 14.1.0
Manual Chapter

Create a custom Client SSL profile

You create a custom Client SSL profile when you want the BIG-IP® system to terminate client-side SSL traffic for the purpose of decrypting client-side ingress traffic and encrypting client-side egress traffic. By terminating client-side SSL traffic, the BIG-IP system offloads these decryption/encryption functions from the destination server. When you perform this task, you can specify multiple certificate key chains, one for each key type (RSA, DSA, and ECDSA). This allows the BIG-IP system to negotiate secure client connections using different cipher suites based on the client's preference.
At a minimum, you must specify a certificate key chain that includes an RSA key pair. Specifying certificate key chains for DSA and ECDSA key pairs is optional, although highly recommended.
  1. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Client
    .
    The Client SSL profile list screen opens.
  2. Click
    Create
    .
    The New Client SSL Profile screen opens.
  3. In the
    Name
    field, type a unique name for the profile.
  4. From the
    Parent Profile
    list, select
    clientssl
    .
  5. Select the
    Custom
    check box.
    The settings become available for change.
  6. From the
    Configuration
    list, select
    Advanced
    .
  7. For the
    Mode
    setting, select the
    Enabled
    check box.
  8. For the
    Certificate Key Chain
    setting, click
    Add
    .
    1. From the
      Certificate
      list, select a certificate name.
      This is the name of a certificate that you installed on the BIG-IP system. If you have not generated a certificate request nor installed a certificate on the BIG-IP system, and the BIG-IP system is not part of a device service clustering (DSC) configuration, you can specify the name of the existing certificate named
      default
      .
      If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default certificate name, and ensure that this same certificate name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
    2. From the
      Key
      list, select the name of the key associated with the certificate specified in the previous step.
      This is the name of a key that you installed on the BIG-IP system. If you have not installed a key on the BIG-IP system, and the BIG-IP system is not part of a device service clustering (DSC) configuration, you can specify the name of the existing key named
      default
      .
      If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default key name, and ensure that this same key name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
    3. From the
      Chain
      list, select the chain that you want to include in the certificate key chain.
      A certificate chain can contain either a series of public key certificates in Privacy Enhanced Mail (PEM) format or a series of one or more PEM files. A certificate chain can contain certificates for Intermediate certificate Authorities (CAs).
      The default self-signed certificate and the default CA bundle certificate are not appropriate for use as a certificate chain.
    4. For the
      Passphrase
      field, type a string that enables access to SSL certificate/key pairs that are stored on the BIG-IP system with password protection.
      This setting is optional. For added security, the BIG-IP system automatically encrypts the pass phrase itself. This pass phrase encryption process is invisible to BIG-IP system administrative users.
    5. Click
      Add
      .
  9. In the
    Certificate Key Chain
    setting, click
    Add
    again, and repeat the process for all certificate key chains that you want to specify.
    At a minimum, you must specify an RSA certificate key chain.
    The result is that all specified key chains appear in the text box.
  10. To enable OCSP stapling, select the
    OCSP Stapling
    check box.
    To enable OCSP stapling, you must first create an OCSP Stapling profile. See
    Creating an OCSP stapling profile
    for detailed steps.
  11. If you want to
    Notify Certificate Status to Virtual Server
    , select the check box.
  12. For the
    Ciphers
    setting, specify a cipher group or cipher string by choosing one of these options.
    If you specified an ECDSA certificate key chain in the
    Certificate Key Chain
    setting, you must include the cipher string
    ECDHE_ECDSA
    in the cipher group or cipher string that you specify in the
    Ciphers
    setting. (At a minimum, you should specify a cipher group or string such as
    DEFAULT:ECDHE_ECDSA
    .) This is necessary to ensure successful cipher negotiation when the BIG-IP system is offered an ECDSA-based certificate only.
    Option
    Description
    Cipher Group
    Select an existing cipher group from the list when you want to use a system-defined or custom cipher group to define the ciphers that the BIG-IP system uses for negotiating SSL connections. Here's an example of the
    Ciphers
    setting where we've selected a custom cipher group that we created earlier.
    Cipher String
    Type a cipher string in the box if you want to manually specify a cipher string instead of selecting a cipher group. For security and performance reasons, consider following these recommendations:
    • Always append ciphers to the
      DEFAULT
      cipher string.
    • Type a cipher string that includes the ECC key type, because its shorter length speeds up encryption and decryption while still offering virtually the same level of security.
    • Disable ADH ciphers but also include the keyword
      HIGH
      . To do this, just include both
      !ADH
      and
      :HIGH
      in your cipher string.
    • For AES, DES, and RC4 encryption types, make sure you specify the DHE key exchange method. DHE uses
      Forward Privacy
      , which creates a key that it throws away after each session so that the same session key never gets used twice. When you use DHE, make sure that the SSL private key isn't being shared with a monitoring system or a security device like an intrusion detection or prevention system. Also, diagnostic tools like
      ssldump
      won't work when you're using Forward Secrecy.
    • Disable EXPORT ciphers by including
      !EXPORT
      in the cipher string.
    • If you can live with removing support for the SSLv3 protocol version, do it. This protocol version is not secure. Simply include
      :!SSLv3
      in any cipher string you type.
    Here's an example of the
    Ciphers
    setting where we have opted to manually type the cipher string
    DEFAULT:ECDHE-RSA-AES-128-GCM-SHA256:!ADH:!EXPORT:HIGH
    :
  13. Configure any other settings as needed.
  14. Click
    Finished
    .
After performing this task, you can see the custom Client SSL profile in the list of Client SSL profiles on the system.
By default, TLSv1.3 is disabled in this configuration.
To use this profile, you must assign it to a virtual server. See
Assigning SSL profiles to a virtual server
for detailed information.