Applies To:

Show Versions Show Versions

Manual Chapter: SSL Certificates
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

About SSL certificates on the BIG-IP system

Before systems on a network can authenticate one another using SSL, you must install one or more SSL certificates on the BIG-IP system. An SSL certificate is a certificate that a BIG-IP system device presents to another device on the network, for authentication purposes. An SSL certificate can be either a self-signed certificate or a trusted CA certificate.

When you install BIG-IP software, the application includes a self-signed SSL certificate named Default. A self-signed certificate is an authentication mechanism that is created and authenticated by the system on which it resides.

If your network includes one or more certificate authority (CA) servers, you can replace the self-signed certificate on each BIG-IP system with a trusted CA certificate, that is, a certificate that is signed by a third party. Authenticating BIG-IP systems using trusted CA certificates is more secure than using self-signed certificates.

To ease the task of creating certificate requests and sending them to certificate authorities for signature, the BIG-IP system provides a set of certificate management screens within the Configuration utility.

The SSL certificate list

You can use the Configuration utility to view the list of SSL certificates that you have installed on the BIG-IP system. This list displays the following information:

Certificate name
The name of the certificate.
The type of certificate content, for example, Certificate Bundle or Certificate and Key.
Common name
The common name (CN) for the certificate. The common name embedded in the certificate is used for name-based authentication. The default common name for a self-signed certificate is localhost.localdomain.
Expiration date
The date that the certificate expires. If the certificate is a bundle, this information shows the range of expiration dates that apply to certificates in the bundle.
The organization name for the certificate. The organization name embedded in the certificate is used for name-based authentication. The default organization for a self-signed certificate is MyCompany.

Certificate installation on the BIG-IP system

You must install certificates onto the BIG-IP system when you want BIG-IP Local Traffic Manager to terminate or initiate SSL traffic. After you install a certificate and private key, you create an SSL profile that references that certificate and key.

You can install multiple certificates and keys on the BIG-IP system. This allows each SSL profile that you create to reference a different certificate and key if necessary. Installing a certificate refers to either of these tasks:

  • Creating either a self-signed certificate or a trusted certificate
  • Importing an existing certificate file and key file

A trusted certificate is one that you create and then send to a certificate authority (CA) for signature.

Self-signed and trusted certificates

Using the Configuration utility, you can either generate a self-signed certificate (usually used for internal test purposes only) or you can generate a certificate and submit it to a trusted certificate authority for signature. When you send a certificate and a request for signature to a certificate authority, the certificate authority returns a signed certificate. You can send a certificate request to a certificate authority in either of two ways:

  • You can copy the text of the newly-generated request from the Configuration utility screen and give it to the certificate authority (using cut and paste).
  • You can download the newly-generated request to a file and transmit the file to the certificate authority.

The way to transmit the request to a certificate authority (either through pasting the text or through a file attachment) is by accessing the certificate authority’s web site. The Configuration utility screen for submitting a request for signature by a certificate authority includes links to various certificate authority web sites.

About importing existing certificates

You can use the Configuration utility to install a SSL certificate that already exists on the system hard drive. Installing an existing certificate is known as importing the certificate. When you import a certificate, the certificate appears on the Certificate List screen. You can import a private key, a certificate or certificate bundle, or an archive.

About certificate management

For certificates that are installed on the BIG-IP system, you can manage them in several ways. You can:

  • Generate and download an archive file
  • Delete a certificate
  • View certificate and key properties
  • Replace a certificate or key
  • Renew a certificate
  • Export a certificate and key
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)