Back to Guides
F5 BIG-IPSSL/TLSLoad BalancerEnterprise

F5 BIG-IP SSL Profiles Explained

What they are, why you need them, and how they actually work.

12 min readDecember 2025
F5 BIG-IP SSL Profiles Explained

The 30-Second Version

What: SSL profiles are collections of SSL/TLS settings that you attach to virtual servers.

Two types: Client SSL (handles encryption FROM users) and Server SSL (handles encryption TO backends).

Key insight: The naming is from F5's perspective - "Client SSL" handles the client connection, not client certificates.

Most common mistake: Forgetting to add the certificate chain, causing "certificate not trusted" errors.

What is an SSL Profile?

An SSL profile is a reusable collection of SSL/TLS settings. Instead of configuring encryption settings directly on each virtual server, you create profiles and attach them.

Why profiles exist:

Reusability

One profile, many virtual servers

Consistency

Same settings everywhere

Manageability

Update once, apply everywhere

Inheritance

Child profiles inherit from parents

Analogy: Think of a profile like a template. You define how SSL should work once, then apply that template wherever you need it.

The Two Types of SSL Profiles

F5 has two types of SSL profiles, and the naming confuses everyone.

                        F5 BIG-IP
                     ┌─────────────────┐
                     │                 │
[Client/Browser] ────▶  Virtual Server  ────▶ [Backend Server]
                HTTPS │                 │ HTTP or HTTPS
                     │  ┌───────────┐  │
                     │  │Client SSL │  │  ◀── Decrypts INCOMING traffic
                     │  │ Profile   │  │      YOUR certificate goes here
                     │  └───────────┘  │
                     │                 │
                     │  ┌───────────┐  │
                     │  │Server SSL │  │  ◀── Encrypts OUTGOING traffic
                     │  │ Profile   │  │      Only needed for re-encryption
                     │  └───────────┘  │
                     │                 │
                     └─────────────────┘

Quick Reference Table

Profile TypeDirectionWhat It DoesYour Cert Here?
Client SSLClient → F5Decrypts incoming HTTPS YES
Server SSLF5 → ServerEncrypts to backendUsually no*

*Only if backend requires client certificate authentication (mTLS)

Why The Names Are Confusing

The naming is from F5's perspective, not yours.

"Client SSL" = Handles the connection where F5 acts as server to the client

"Server SSL" = Handles the connection where F5 acts as client to the server

Mental Model

Client SSL Profile: "How F5 looks to clients"
(F5 presents YOUR certificate)

Server SSL Profile: "How F5 looks to servers"
(F5 acts as a client connecting to your backend)

When You Need Each Profile

Scenario 1: SSL Offload (Most Common)

User ──HTTPS──▶ F5 ──HTTP──▶ Backend

Profiles needed: Client SSL only

  • • F5 terminates SSL
  • • Backend receives plain HTTP
  • • Simplest configuration
  • • Best performance (backend doesn't do crypto)

Scenario 2: End-to-End Encryption (Re-encryption)

User ──HTTPS──▶ F5 ──HTTPS──▶ Backend

Profiles needed: Client SSL + Server SSL

  • • F5 terminates and re-encrypts
  • • Backend receives HTTPS
  • • Required for compliance (PCI, etc.)
  • • F5 can still inspect/modify traffic

Scenario 3: SSL Passthrough

User ──HTTPS──▶ F5 ──HTTPS──▶ Backend
(F5 doesn't decrypt)

Profiles needed: Neither

  • • F5 just routes encrypted traffic
  • • Cannot inspect or modify
  • • Limited load balancing options
  • • Use only when F5 can't have the certificate

Decision Flowchart

Does F5 need to see the traffic content?
│
├── YES (modify headers, route by URL, inspect payload)
│   │
│   └── Create Client SSL Profile with your certificate
│       │
│       └── Does backend need HTTPS?
│           │
│           ├── YES → Also create Server SSL Profile
│           │
│           └── NO → Client SSL only (SSL Offload)
│
└── NO (just route encrypted packets)
    │
    └── Use SSL Passthrough (no SSL profiles)

Anatomy of a Client SSL Profile

Location: Local Traffic → Profiles → SSL → Client

Key Settings Explained

SettingWhat It DoesPlain English
Certificate Key ChainYour certificate + key + chainThe identity F5 shows to browsers
CertificateYour server certificateThe cert users see (e.g., *.example.com)
KeyPrivate key for your certProves F5 owns the certificate
ChainIntermediate certificate(s)Builds trust path to root CA
CiphersAllowed encryption algorithmsWhat crypto is permitted
OptionsTLS versions, settingsTLS 1.2, 1.3, etc.
Client AuthenticationmTLS settingsRequire client certificates?

The Certificate Key Chain - Where Most Mistakes Happen

Correct configuration:

  • Certificate: Your server cert (e.g., www.example.com.crt)
  • Key: Matching private key (e.g., www.example.com.key)
  • Chain: Intermediate CA cert(s) (e.g., DigiCertCA.crt)

Common mistakes:

  • Forgetting the chain (causes "not trusted" on some clients)
  • Wrong chain (F5 silently sends nothing)
  • Key doesn't match certificate (import fails)

Anatomy of a Server SSL Profile

Location: Local Traffic → Profiles → SSL → Server

Key Settings Explained

SettingWhat It DoesWhen You Need It
Certificate Key ChainCert F5 presents to backendOnly if backend requires mTLS
Server NameSNI hostname to sendWhen backend uses SNI
Trusted CAsCAs to trust for backend certTo validate backend identity
CiphersAllowed algorithmsMust match backend capabilities
Server AuthenticationVerify backend?Usually "Ignore" (trust by network)

Most Common Server SSL Config

For simple re-encryption to internal servers:

Server Authentication: Ignore (don't verify backend cert)
Ciphers: Match your backend's supported ciphers
Options: TLS 1.2 minimum

You typically don't need to verify backend certificates when:

  • • Backend is on your internal network
  • • You control both F5 and backend
  • • Network path is trusted

Common Mistakes

MistakeSymptomFix
No chain certificate"Not trusted" on mobile/API clientsAdd intermediate to Chain field
Wrong chain certificateF5 sends no chain at allDownload correct chain from CA
Profile not assigned to VSHTTPS doesn't workVirtual Server → SSL Profile (Client)
Wrong profile typeTraffic doesn't flowClient SSL for incoming, Server SSL for outgoing
Cipher mismatchHandshake failuresAlign ciphers in both profiles
TLS version mismatchConnection resetCheck Options in both profiles

Quick Reference Commands

# List all Client SSL profiles
tmsh list ltm profile client-ssl

# Show specific profile details
tmsh list ltm profile client-ssl my-profile all-properties

# List all certificates on the F5
tmsh list sys crypto cert

# Show certificate details
tmsh list sys crypto cert my-cert all-properties

# Check what ciphers a cipher string produces
tmm --clientciphers 'ECDHE+AES-GCM:ECDHE+AES'

# See all supported ciphers
tmm --clientciphers 'ALL'

Next Steps

Now that you understand SSL profiles:

Client SSL vs Server SSL Deep Dive

More detail on the differences between profile types.

Read Now

F5 Certificate Installation

Step-by-step guide to installing certificates.

Read Now

F5 Certificate Chain Configuration

Fix "not trusted" errors with proper chain setup.

Read Now

F5 SSL Troubleshooting

Debug common SSL issues on BIG-IP.

Read Now

Frequently Asked Questions

Related Resources

Client SSL vs Server SSL

Understand when to use each profile type and where certificates go.

F5 Certificate Installation

Step-by-step guide to installing SSL certificates on BIG-IP.

F5 Certificate Chain Configuration

Configure intermediate certificates for proper trust chains.

F5 SSL Troubleshooting

Debug common SSL issues symptom by symptom.

Cipher Suite Decoder

Understand cipher suites for profile configuration.

How TLS Works

Complete guide to TLS handshakes and certificate verification.