Tuesday, January 20, 2015

F5 load Balancer and IIS certificate issue

Good day All,

Today i will share with all F5 and IIS certificate issue i was pulled into sometime ago.. In-fact when the issue came to me i was said that all configuration on F5 as been set properly and certificate as been installed on IIS Web server but still the page is unavailable when the tried to access the Server  using https from external network.
Couple of questions i asked

1. is the certificate working properly internally and the answer was Yes
2.I asked what kind of offloading we have configured on F5, Client-side SSL or Server-side SSL and the answer was Server-side SSL
3.last question was if Server-side SSL, are we using 2 certificates 1 for F5 and 1 for IIS web server or we are installing 1 Certificate on F5, exporting and importing the same certificate with Private key on Web server and the answer was only 1 certificate.

for starters if you wondering what is Client-side and Server-side, please check this Manual of F5 it goes in depth on the same..

So i said please hold on and let me check something because i kind of know what is the issue? any guess from anyone? well here you go the answer see below? can you tell me what is missing?



If any one guessed don't see the Private Key then the answer is Yes.. there is no Private key for this certificate so all the traffic from F5 to IIS Web server was encrypted but IIS doesn't have the Private key to decrypt. Why we don't see the Private key, the possible reasons
As the certificate request was generated from F5 and when it receives the certificate it gets the certificate and Private key separately and F5 team passed the same certificate without Private Key to be applied on IIS not knowing Server would need Private key.

So how do we fix the issue well there is neat little tool call openSSL , simple download and install which basically merge Certificate and Private Key in a PFX format to be imported to IIS..


C:\OpenSSL-Win32\bin>openssl.exe pkcs12 -export -out name.pfx -inkey w.key -in w.
crt -name test
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Loading 'screen' into random state - done
Enter Export Password:
Verifying - Enter Export Password:


well the above command will create a PFX , so we re-imported the certificate to Certificate store and reapplied the certificate to IIS.



Hope this helps someone!!!!!!!!!!

No comments:

Post a Comment