Applies To:

Show Versions Show Versions

Manual Chapter: Managing Client-Side HTTP Traffic Using a CA-Signed Elliptic Curve DSA Certificate
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: Managing client-side HTTP traffic using a CA-signed, ECC-based certificate

When you configure the BIG-IP® system to decrypt client-side HTTP requests and encrypt the server responses, you can optionally configure the BIG-IP system to use the Elliptic Curve Digital Signature Algorithm (ECDSA) as part of the BIG-IP system's certificate key chain. The result is that the BIG-IP system performs the SSL handshake usually performed by target web servers, using an ECDSA key type in the certificate key chain.

This particular implementation uses a certificate signed by a certificate authority (CA).

Task summary

To implement client-side authentication using HTTP and SSL with a certificate signed by a certificate authority, you perform a few basic configuration tasks.

Task list

Requesting a signed certificate that includes an ECDSA key

You can generate a certificate that includes an Elliptic Curve Digital Signature Algorithm (ECDSA) key type, and then copy it or submit it to a trusted certificate authority for signature.
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management .
    The Traffic Certificate Management screen opens.
  2. Click Create.
  3. In the Name field, type a unique name for the SSL certificate.
  4. From the Issuer list, select Certificate Authority.
  5. In the Common Name field, type a name.
    This is typically the name of a web site, such as www.siterequest.com.
  6. In the Division field, type your department name.
  7. In the Organization field, type your company name.
  8. In the Locality field, type your city name.
  9. In the or State or Province field, type your state or province name.
  10. From the Country list, select the name of your country.
  11. In the E-mail Address field, type your email address.
  12. In the Lifetime field, type a number of days, or retain the default, 365.
  13. In the Subject Alternative Name field, type a name.
    This name is embedded in the certificate for X509 extension purposes.
    By assigning this name, you can protect multiple host names with a single SSL certificate.
  14. In the Challenge Password field, type a password.
  15. In the Confirm Password field, re-type the password you typed in the Challenge Password field.
  16. From the Key Type list, select ECDSA.
  17. From the Curve Name list, select prime256v1 or secp384r1.
  18. Click Finished.
    The Certificate Signing Request screen displays.
  19. Do one of the following to download the request into a file on your system.
    • In the Request Text field, copy the certificate.
    • For Request File, click the button.
  20. Follow the instructions on the relevant certificate authority web site for either pasting the copied request or attaching the generated request file.
  21. Click Finished.
    The Certificate Signing Request screen displays.
The generated certificate is submitted to a trusted certificate authority for signature.

Creating a custom HTTP profile

An HTTP profile defines the way that you want the BIG-IP®system to manage HTTP traffic.
Note: Other HTTP profile types (HTTP Compression and Web Acceleration) enable you to configure compression and cache settings, as required. Use of these profile types is optional.
  1. On the Main tab, click Local Traffic > Profiles > Services > HTTP .
    The HTTP profile list screen opens.
  2. Click Create.
    The New HTTP Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Parent Profile list, select http.
  5. Select the Custom check box.
  6. Modify the settings, as required.
  7. Click Finished.
The custom HTTP profile now appears in the HTTP profile list screen.

Creating a custom Client SSL profile

You create a custom Client SSL profile when you want the BIG-IP® system to terminate client-side SSL traffic for the purpose of decrypting client-side ingress traffic and decrypting client-side egress traffic. By terminating client-side SSL traffic, the BIG-IP system offloads these authentication and decryption/encryption functions from the destination server. When you perform this task, you specify a certificate key chain that includes Elliptic Curve Digital Signature Algorithm (ECDSA) as the key type.
Note: In addition to specifying an ECDSA certificate key chain, you must also specify an RSA key chain. Specifying an RSA key chain is a minimum requirement for all Client SSL profiles that you configure.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Client .
    The Client SSL profile list screen opens.
  2. Click Create.
    The New Client SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Parent Profile list, select clientssl.
  5. Select the Custom check box.
    The settings become available for change.
  6. For the Certificate Key Chain setting, click Add.
    1. From the Certificate list, select the name of a certificate with a key of type ECDSA.
      This is the name of a certificate that you installed on the BIG-IP® system. If you have not generated a certificate request nor installed a certificate on the BIG-IP system, and the BIG-IP system is not part of a device service clustering (DSC) configuration, you can specify the name of the existing certificate named default.
      Important: If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default certificate name, and ensure that this same certificate name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
    2. From the Key list, select the name of an ECDSA key.
      This is the name of a key that you installed on the BIG-IP® system. If you have not installed a key on the BIG-IP system, and the BIG-IP system is not part of a device service clustering (DSC) configuration, you can specify the name of the existing key named default.
      Important: If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default key name, and ensure that this same key name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
    3. From the Chain list, select the chain that you want to include in the certificate key chain.
      A certificate chain can contain either a series of public key certificates in Privacy Enhanced Mail (PEM) format or a series of one or more PEM files. A certificate chain can contain certificates for Intermediate certificate Authorities (CAs).
      Note: The default self-signed certificate and the default CA bundle certificate are not appropriate for use as a certificate chain.
    4. For the Passphrase field, type a string that enables access to SSL certificate/key pairs that are stored on the BIG-IP system with password protection.
      This setting is optional. For added security, the BIG-IP system automatically encrypts the pass phrase itself. This pass phrase encryption process is invisible to BIG-IP® system administrative users.
    5. Click Add.
  7. Click Add and repeat the process for all certificate key chains that you want to specify. At a minimum, you must specify an RSA certificate key chain.
    Sample configuration with three key types specified

    Sample configuration with three key types specified

    The result is that all specified key chains appear in the text box.
  8. To specify ECDHE ciphers:
    1. From the Configuration list, select Advanced.
    2. In the Ciphers field, type ECDHE.
  9. Configure all other profile settings as needed.
  10. Click Finished.

Creating a pool to process HTTP traffic

You can create a pool of web servers to process HTTP requests.
  1. On the Main tab, click Local Traffic > Pools .
    The Pool List screen opens.
  2. Click Create.
    The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. For the Health Monitors setting, from the Available list, select the http monitor and move the monitor to the Active list.
  5. From the Load Balancing Method list, select how the system distributes traffic to members of this pool.
    The default is Round Robin.
  6. For the Priority Group Activation setting, specify how to handle priority groups:
    • Select Disabled to disable priority groups. This is the default option.
    • Select Less than, and in the Available Members field type the minimum number of members that must remain available in each priority group in order for traffic to remain confined to that group.
  7. Using the New Members setting, add each resource that you want to include in the pool:
    1. Type an IP address in the Address field.
    2. Type 80 in the Service Port field, or select HTTP from the list.
    3. (Optional) Type a priority number in the Priority field.
    4. Click Add.
  8. Click Finished.
The new pool appears in the Pools list.

Creating a virtual server for client-side HTTP traffic

You can specify a virtual server to be either a host virtual server or a network virtual server to manage HTTP traffic over SSL.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address field, type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 10.0.0.1 or 10.0.0.0/24, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP® system automatically uses a /32 prefix.
    Note: The IP address you type must be available and not in the loopback network.
  5. In the Service Port field, type 443, or select HTTPS from the list.
  6. From the HTTP Profile list, select the HTTP profile that you previously created.
  7. For the SSL Profile (Client) setting, from the Available list, select the name of the Client SSL profile you previously created and move the name to the Selected list.
  8. In the Resources area, from the Default Pool list, select the name of the pool that you created previously.
  9. Click Finished.
After performing this task, the virtual server appears in the Virtual Server List screen.

Implementation results

After you complete the tasks in this implementation, the BIG-IP® system encrypts client-side ingress HTTP traffic using an SSL certificate key chain. The BIG-IP system also re-encrypts server responses before sending the responses back to the client.

The certificate in the certificate key chain includes an Elliptic Curve Digital Signature Algorithm (ECDSA) key and certificate.

Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)