Before systems on a network can authenticate one another using SSL, you must install one or more SSL certificates on the BIG-IP system. An SSL certificate is a certificate that a BIG-IP system device presents to another device on the network, for authentication purposes. An SSL certificate can be either a self-signed certificate or a trusted CA certificate.
When you install BIG-IP software, the application includes a self-signed SSL certificate named Default. A self-signed certificate is an authentication mechanism that is created and authenticated by the system on which it resides.
If your network includes one or more certificate authority (CA) servers, you can replace the self-signed certificate on each BIG-IP system with a trusted CA certificate, that is, a certificate that is signed by a third party. Authenticating BIG-IP systems using trusted CA certificates is more secure than using self-signed certificates.
To ease the task of creating certificate requests and sending them to certificate authorities for signature, the BIG-IP system provides a set of certificate management screens within the Configuration utility.
You can use the Configuration utility to view the list of SSL certificates that you have installed on the BIG-IP system. This list displays the following information:
You must install certificates onto the BIG-IP system when you want BIG-IP Local Traffic Manager to terminate or initiate SSL traffic. After you install a certificate and private key, you create an SSL profile that references that certificate and key.
You can install multiple certificates and keys on the BIG-IP system. This allows each SSL profile that you create to reference a different certificate and key if necessary. Installing a certificate refers to either of these tasks:
A trusted certificate is one that you create and then send to a certificate authority (CA) for signature.
Using the Configuration utility, you can either generate a self-signed certificate (usually used for internal test purposes only) or you can generate a certificate and submit it to a trusted certificate authority for signature. When you send a certificate and a request for signature to a certificate authority, the certificate authority returns a signed certificate. You can send a certificate request to a certificate authority in either of two ways:
The way to transmit the request to a certificate authority (either through pasting the text or through a file attachment) is by accessing the certificate authority’s web site. The Configuration utility screen for submitting a request for signature by a certificate authority includes links to various certificate authority web sites.
You can use the Configuration utility to install a SSL certificate that already exists on the system hard drive. Installing an existing certificate is known as importing the certificate. When you import a certificate, the certificate appears on the Certificate List screen. You can import a private key, a certificate or certificate bundle, or an archive.
For certificates that are installed on the BIG-IP system, you can manage them in several ways. You can: