Applies To:

Show Versions Show Versions

Manual Chapter: SSL Certificates
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

10 
Before systems on a network can authenticate one another using SSL, you must install one or more SSL certificates on the BIG-IP® system. An SSL certificate is a certificate that a BIG-IP system device presents to another device on the network, for authentication purposes. An SSL certificate can be either a self-signed certificate or a trusted CA certificate.
When you install BIG-IP® software, the application includes a self-signed SSL certificate named Default. A self-signed certificate is an authentication mechanism that is created and authenticated by the system on which it resides.
If your network includes one or more certificate authority (CA) servers, you can replace the self-signed certificate on each BIG-IP system with a trusted CA certificate, that is, a certificate that is signed by a third party. Authenticating BIG-IP systems using trusted CA certificates is more secure than using self-signed certificates.
To ease the task of creating certificate requests and sending them to certificate authorities for signature, the BIG-IP system provides a set of certificate management screens within the Configuration utility. To access these screens, locate the Main tab, expand System, and click File Management. Then, on the menu bar, click SSL Certificates List.
You can use the Configuration utility to view the list of SSL certificates that you have installed on the BIG-IP system. This list displays the following information:
Certificate name
The name of the certificate.
Content
The type of certificate content, for example, Certificate Bundle or Certificate & Key.
Common name
The common name (CN) for the certificate. The common name embedded in the certificate is used for name-based authentication. The default common name for a self-signed certificate is localhost.localdomain.
Expiration date
The date that the certificate expires. If the certificate is a bundle, this information shows the range of expiration dates that apply to certificates in the bundle.
Organization
The organization name for the certificate. The organization name embedded in the certificate is used for name-based authentication.The default organization for a self-signed certificate is MyCompany.
You must install certificates onto the BIG-IP® system when you want BIG-IP® Local Traffic ManagerTM to terminate or initiate SSL traffic. After you install a certificate and private key, you create an SSL profile that references that certificate and key.
You can install multiple certificates and keys on the BIG-IP system. This allows each SSL profile that you create to reference a different certificate and key if necessary.
Using the Configuration utility, you can either generate a self-signed certificate (usually used for internal test purposes only) or you can generate a certificate and submit it to a trusted certificate authority for signature. When you send a certificate and a request for signature to a certificate authority, the certificate authority returns a signed certificate.
You can copy the text of the newly-generated request from the Configuration utility screen and give it to the certificate authority (using cut and paste).
The way to transmit the request to a certificate authority (either through pasting the text or through a file attachment) is by accessing the certificate authoritys web site. The Configuration utility screen for submitting a request for signature by a certificate authority includes links to various certificate authority web sites.
You can use the Configuration utility to install a SSL certificate that already exists on the system hard drive. Installing an existing certificate is known asn importing the certificate. When you import a certificate, the certificate appears on the Certificate List screen. You can import a private key, a certificate or certificate bundle, or an archive.
Table 10.1 lists and describes the settings that you configure to import a private key file.
Specifies whether you want to import an SSL key, certificate, PKCS 12 (IIS) file, or certificate archive. Possible values are Key, Certificate, PKCS 12 (IIS), and Archive.
When you select an import type of Key, displays the name of the SSL key. This setting only appears when you select Key from the Import Type list.You cannot change this value when importing an SSL key.
Specifies the source of the device key you are importing. This setting only appears when you select Key from the Import Type list. Possible values are:
Upload File
Displays the Browse button for you to specify the name of the key file you want to import.
Paste Text
Displays a text box into which you can paste the text of the device key.
Table 10.2 lists and describes the settings that you configure to import an existing certificate file.
Specifies whether you want to import an SSL key, certificate, PKCS 12 (IIS) file, or certificate archive. Possible values are Key, Certificate, PKCS 12 (IIS), and Archive.
When you select an import type of Certificate, displays the name of the SSL certificate. This setting only appears when you select Certificate or PKCS 12 (IIS) from the Import Type list. You cannot change this value when importing an SSL certificate.
Specifies the source of the SSL certificate you are importing. This setting only appears when you select Certificate or PKCS 12 (IIS) from the Import Type list.
If you select Certificate, the possible values are:
Upload File
Displays the Browse button for you to specify the name of the certificate file you want to import.
Paste Text
Displays a text box into which you can paste the text of the SSL certificate.
Table 10.3 lists and describes the settings that you configure to import a certificate that is formatted as a PKCS 12 (IIS) file.
Specifies whether you want to import an SSL key, certificate, PKCS 12 (IIS) file, or certificate archive. Possible values are Key, Certificate, PKCS 12 (IIS), and Archive.
When you select an import type of PKCS 12 (IIS), displays the name of the PKCS 12 (IIS) file. This setting only appears when you select Certificate or PKCS 12 (IIS) from the Import Type list. You cannot change this value when importing a PKCS 12 (IIS) file.
Specifies the source of the PKCS 12 (IIS) file you are importing. This setting only appears when you select Certificate or PKCS 12 (IIS) from the Import Type list.
Table 10.4 lists and describes the settings that you configure to import an archive file.
Specifies whether you want to import an SSL key, certificate, PKCS 12 (IIS) file, or certificate archive. Possible values are Key, Certificate, PKCS 12 (IIS), and Archive.
You can use the Configuration utility to view information about an SSL certificate and its key that you have installed on the BIG-IP system.
Table 10.5 shows the properties of the certificate portion of a certificate/key pair.
Displays the values of the common name (CN) and organization embedded in the certificate. The default value for a self-signed certificate is localhost.localdomain, MyCompany.
Indicates whether the certificate is a self-signed certificate (Self) or a trusted CA certificate (Certificate Authority).
Table 10.6 lists and describes the properties of a private key.
Displays the type of device key. An example of a device key type is KTYPE_RSA_PRIVATE.
You can use the Configuration utility to replace an SSL certificate or certificate/key pair with another one. To replace a certificate, you can display the properties of a certificate and then click Import.
Table 10.7 lists and describes the settings for replacing an SSL certificate.
Specifies whether you want to import an SSL certificate (Certificate) or a certificate/key pair (Certificate and Key).
Upload File
Displays the Browse button for you to specify the name of the certificate file you want to import.
Paste Text
Displays a text box into which you can paste the text of the SSL certificate.
Specifies the source of the device key you are importing. This setting only appears when you select Certificate and Key from the Import Type list. Possible values are:
Upload File
Displays the Browse button for you to specify the name of the key file you want to import.
Paste Text
Displays a text box into which you can paste the text of the device key.
Table 10.8 shows the subject information you can modify, along with the key size.
Indicates whether the certificate is a self-signed certificate (Self) or a trusted CA certificate (Certificate Authority).
Specifies the common name (CN) for the certificate. The common name embedded in the certificate is used for name-based authentication. The default common name for a self-signed certificate is localhost.localdomain.
Specifies the organization name for the certificate. The organization name embedded in the certificate is used for name-based authentication.The default organization for a self-signed certificate is MyCompany.
Specifies the name of the state or province for the certificate. The state or province name embedded in the certificate is used for name-based authentication.
Specifies the challenge password that you want the Certificate Authority to use. The Certificate Authority uses the challenge password to access the signing request created for this certificate. This property only appears when the Issuer property is set to Certificate Authority.
Specifies the password you typed in the Challenge Password setting. This property only appears when the Issuer setting is set to Certificate Authority.
For self-signed certificates only, specifies the interval for which the self-signed certificate is valid. The default is 365 days. The maximum is 25 years (9,125 days). This property only appears when the Issuer setting is set to Self.
You export an SSL certificate and private key when you want to create certificate and key files that you can migrate to another BIG-IP system.
Table 10.9 lists and describes the settings for exporting an SSL certificate.
Displays the text of the SSL certificate you want to export. Note that you can copy this text to create a duplicate SSL certificate.
Displays a button labeled Download <file_name> that you can use to copy the certificate to the BIG-IP system hard disk. An example of a Certificate File button is Download default.crt.
Table 10.9 lists and describes the settings for exporting a private key.
Displays the text of the private key you want to export. Note that you can copy this text to create a duplicate SSL key.
Displays a button labeled Download <file_name> that you can use to copy the key to the BIG-IP system hard disk. An example of a Key File button is Download default.key.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)