nerdexam
F5

201 · Question #9

Assume a virtual server has a ServerSSL profile. What SSL certificates are required on the pool members.

The correct answer is B. The pool members.SSL certificates must only exist.. When a Virtual Server uses a ServerSSL profile, the BIG-IP system re-encrypts traffic to pool members, requiring the pool members to present any valid SSL certificate, regardless of its issuer or trust chain.

Configure Load Balancing Features

Question

Assume a virtual server has a ServerSSL profile. What SSL certificates are required on the pool members.

Options

  • ANo SSL certificates are required on the pool members.
  • BThe pool members.SSL certificates must only exist.
  • CThe pool members.SSL certificates must be issued from a certificate authority.
  • DThe pool members.SSL certificates must be created within the company hosting the BIGIPs.

How the community answered

(21 responses)
  • A
    5% (1)
  • B
    90% (19)
  • C
    5% (1)

Why each option

When a Virtual Server uses a ServerSSL profile, the BIG-IP system re-encrypts traffic to pool members, requiring the pool members to present any valid SSL certificate, regardless of its issuer or trust chain.

ANo SSL certificates are required on the pool members.

Pool members must present an SSL certificate if the BIG-IP is using a ServerSSL profile to re-encrypt connections, as the BIG-IP acts as an SSL client in this scenario.

BThe pool members.SSL certificates must only exist.Correct

For a BIG-IP with a ServerSSL profile, the BIG-IP acts as an SSL client to the pool member. It only verifies that the pool member presents some SSL certificate for the connection to proceed; it does not typically validate the certificate chain against a CA unless specifically configured to do so for client-side authentication.

CThe pool members.SSL certificates must be issued from a certificate authority.

While certificates issued from a CA are standard, the BIG-IP's default ServerSSL behavior only requires a certificate to exist on the pool member, not necessarily one signed by a publicly trusted CA.

DThe pool members.SSL certificates must be created within the company hosting the BIGIPs.

The origin of the certificate (whether internal or external) is irrelevant; any valid certificate, even self-signed, will satisfy the default ServerSSL profile's requirement.

Concept tested: ServerSSL profile certificate requirements

Source: https://support.f5.com/csp/article/K14783

Topics

#ServerSSL profile#SSL certificates#pool members

Community Discussion

No community discussion yet for this question.

Full 201 Practice