You create a custom Client SSL profile when you want the BIG-IP®
system to terminate client-side SSL traffic for the purpose of
decrypting client-side ingress traffic and encrypting client-side egress traffic. By
terminating client-side SSL traffic, the BIG-IP system offloads these
decryption/encryption functions from the destination server. When you perform this task,
you can specify multiple certificate key chains, one for each key type (RSA, DSA, and
ECDSA). This allows the BIG-IP system to negotiate secure client connections using
different cipher suites based on the client's preference.
Important: At a
minimum, you must specify a certificate key chain that includes an RSA key pair.
Specifying certificate key chains for DSA and ECDSA key pairs is optional, although
If you create multiple Client SSL profiles and assign them to the
same virtual server, then for each of the following profile settings, you must
configure the same value in each profile. For example, if the
setting in one profile is set to
, then the Frequency
in all other Client SSL profiles for that virtual server must be set to
Certificate Chain Traversal Depth
Certificate Revocation List (CRL)
Trusted Certificate Authorities
Advertised Certificate Authorities
After performing this task, you can see the custom Client SSL profile in the list of Client SSL profiles on the system.
You must also assign the profile to a virtual server.