Applies To:

Show Versions Show Versions

Manual Chapter: Managing SSL Certificates for BIG-IP
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

In some cases, BIG-IP® systems need to exchange device certificates, that is, Secure Sockets Layer (SSL) certificates and keys used to verify each others credentials before exchanging data. For example, multiple BIG-IP systems might need to verify credentials before communicating with each other to collect performance data over a wide area network, for global traffic management.
Note: If you are using SSL certificates to terminate and initiate local SSL traffic, see the Configuration Guide for BIG-IP® Local Traffic Manager.
Self-signed certificates
When you install BIG-IP software, the application includes a self-signed SSL certificate. A self-signed certificate is an authentication mechanism that is created and authenticated by the system on which it resides.
CA-signed certificates
If your network includes one or more certificate authority (CA) servers, you can replace the self-signed certificate on each BIG-IP system with a CA-signed certificate, that is, a certificate that is signed by a third party. Authenticating BIG-IP systems using CA-signed certificates is more secure than using self-signed certificates.
To request authentication
A BIG-IP system can send a certificate to another (target) BIG-IP system to request authentication by that target BIG-IP system. In this context, the certificate is referred to as a device certificate. For more information, see Managing device certificates.
To grant authentication
A BIG-IP system can store one or more certificates that it trusts, to check when receiving a device certificate from another BIG-IP system during a request for authentication. For more information, see Managing trusted device certificates.
When requesting SSL authentication from another system, the BIG-IP system need to present its device certificate. On the BIG-IP system, a device certificate is an SSL certificate that a BIG-IP system presents to another device on the network, for authentication purposes. A device certificate can be either a self-signed certificate or a CA-signed certificate.
You can use the Configuration utility to view information about a device certificate that you have installed on the BIG-IP system. Table 3.1 shows the properties of a device certificate on the BIG-IP system.
Displays the values of the common name (CN) and organization embedded in the certificate. The default value for a self-signed certificate is localhost.localdomain, MyCompany.
Indicates whether the certificate is a self-signed certificate (Self) or a CA-signed certificate (Certificate Authority).
On the Main tab of the navigation pane, expand System, and click Device Certificates. This displays the properties of a device certificate.
You import a device certificate or certificate/key pair when you want to replace the existing device certificate with a different device certificate or certificate/key pair. Table 3.2 lists and describes the settings for importing a device certificate or certificate/key pair.
Specifies whether you want to import an SSL key, certificate, PKCS 12 (IIS) file, or certificate archive. Possible values are Key, Certificate, PKCS 12 (IIS), and Archive.
Specifies the source of the SSL certificate you are importing. This setting only appears when you select Certificate. Certificate and Key, or PKCS 12 (IIS) from the Import Type list.
If you select Certificate or Certificate and key, possible values are:
Upload File
Displays the Browse button for you to specify the name of the certificate file you want to import.
Paste Text
Displays a text box into which you can paste the text of the SSL certificate.
If you select PKCS 12 (IIS), you can browse for a file on the system.
Specifies the source of the device key you are importing. This setting only appears when you select Certificate and Key from the Import Type list. Possible values are:
Upload File
Displays the Browse button for you to specify the name of the key file you want to import.
Paste Text
Displays a text box into which you can paste the text of the device key.
Specifies the password that is required when importing a PKCS 12 (IIS) file. This setting only appears when you select PKCS 12 (IIS) from the Import Type list.
1.
On the Main tab of the navigation pane, expand System and click Device Certificates.
This displays the properties of a self-signed certificate.
2.
At the bottom of the screen, click Import.
This displays the screen for importing either a certificate, or a certificate and key.
3.
From the Import Type list, select an import type, either Certificate, Certificate and Key, or PKCS 12 (IIS).
4.
From the Certificate Source setting:
If the Import Type is Certificate or Certificate and Key, you can click either Upload Text or Paste Text:
If you click Upload File, type a file name or click Browse.
If you click Browse, navigate to the relevant Windows® folder, click a file name, and on the browser window, click Open.
If you click Paste Text, copy the text from another source, and paste the text into the Certificate Source window.
If the Import Type is PKCS 12 (IIS), use the Browse button to find the file you want to import.
5.
If you selected an import type of Certificate and Key in step 3, then from the Key Source setting, click either Upload File or Paste Text:
If you click Upload File, type a file name or click Browse.
If you click Browse:
a)
Navigate to the relevant Windows® folder and click a file name.
If you click Paste Text:
b)
Paste the text into the Key Source window.
6.
If you selected PKCS 12 (IIS) from the Import Type list, then in the Password box, type the password that is associated with the certificate source.
7.
Click Import.
When you renew a device certificate, you can change the value of the subject information embedded in a certificate. (For information about the Subject property of a device certificate, see Viewing a device certificate.)
Table 3.1 shows the certificate information that you can modify.
Indicates whether the certificate is a self-signed certificate (Self) or a CA-signed certificate (Certificate Authority).
Specifies the common name (CN) for the certificate. The common name embedded in the certificate is used for name-based authentication.The default common name for a self-signed certificate is localhost.localdomain.
Specifies the organization name for the certificate. The organization name embedded in the certificate is used for name-based authentication.The default organization for a self-signed certificate is MyCompany.
Specifies the name of the state or province for the certificate. The state or province name embedded in the certificate is used for name-based authentication.
Specifies the challenge password that you want the Certificate Authority to use. The Certificate Authority uses the challenge password to access the signing request created for this certificate. This property only appears when the Issuer property is set to Certificate Authority.
Specifies the password you typed in the Challenge Password setting. This property only appears when the Issuer setting is set to Certificate Authority.
For self-signed certificates only, specifies the interval for which the self-signed certificate is valid. The default is 365 days. The maximum is 25 years (9,125 days). This property only appears when the Issuer setting is set to Self.
1.
On the Main tab of the navigation pane, expand System and click Device Certificates.
This displays the properties of the device certificate.
2.
At the bottom of the screen, click Renew.
This displays the screen for renewing the certificate.
4.
Click Finished.
You export a device certificate when you want to create a certificate file that you can migrate to another BIG-IP system. Table 3.4 lists and describes the settings for exporting a device certificate.
Displays the text of the device certificate you want to export. Note that you can copy this text to create a duplicate device certificate.
Displays a button labeled Download <file_name> that you can use to copy the certificate to the BIG-IP system hard disk. An example of a Certificate File button is Download server.crt.
1.
On the Main tab of the navigation pane, expand System and click Device Certificates.
This displays the properties of a self-signed certificate.
2.
At the bottom of the screen, click Export.
This displays the existing device certificate in the Certificate Text box.
3.
For the Certificate File setting, click the Download <file_name> button.
You can use the Configuration utility to import and export private keys. The BIG-IP system uses private keys (with device certificates) when acting as a server to authenticate other BIG-IP systems. Table 3.5 lists and describes the properties of a device key.
Displays the type of device key. An example of a device key type is KTYPE_RSA_PRIVATE.
You import a device key when you want to replace the existing device certificate with a different device certificate or certificate/key pair. Table 3.2 lists and describes the settings for importing a device certificate or certificate/key pair..
Specifies whether you want to import a device certificate (Certificate) or a certificate/key pair (Certificate and Key).
Upload File
Displays the Browse button for you to specify the name of the certificate file you want to import.
Paste Text
Displays a text box into which you can paste the text of the device certificate.
Specifies the source of the device key you are importing. This setting only appears when you select Certificate and Key from the Import Type list. Possible values are:
Upload File
Displays the Browse button for you to specify the name of the key file you want to import.
Paste Text
Displays a text box into which you can paste the text of the device key.
1.
On the Main tab of the navigation pane, expand System, and click Device Certificates.
This displays the properties of the device certificate.
2.
On the menu bar, click Device Key
This displays the properties of the device key.
3.
Click Import.
4.
From the Import Type list, select an import type, either Certificate or Certificate and Key.
5.
If the import type is Certificate, then skip step 6 and proceed to step 7.
6.
If the import type is Certificate and Key, then from the Certificate Source setting, click either Upload File or Paste Text:
If you click Upload File, type a file name or click Browse.
If you click Browse:
a)
Navigate to the relevant Windows® folder and click a file name.
If you click Paste Text:
b)
Paste the text into the Certificate Source window.
7.
From the Key Source setting, click either Upload File or Paste Text:
If you click Upload File, type a file name or click Browse.
If you click Browse:
If you click Paste Text:
b)
Paste the text into the Key Source window.
8.
Click Import.
You export a device key when you want to create a key file that you can migrate to another BIG-IP system. Table 3.4 lists and describes the settings for exporting a device key.
Displays the text of the device certificate you want to export. Note that you can copy this text to create a duplicate device certificate.
Displays a button labeled Download <file_name> that you can use to copy the certificate to the BIG-IP system hard disk. An example of a Key File button is Download server.key.
1.
On the Main tab of the navigation pane, expand System, and click Device Certificates.
This displays the properties of a self-signed certificate.
2.
On the menu bar, click Device Key.
This displays the properties of the key.
3.
Click Export.
The screen displays the text of the key.
4.
Next to the Key File setting, click Download <key_name>.
The BIG-IP system uses a trusted device certificate or a certificate chain to authenticate another system. For example, a BIG-IP system running Global Traffic Manager system might send a request to a Local Traffic Manager system. In this case, the Local Traffic Manager system receiving the request checks its trusted device certificate or certificate chain in its attempt to authenticate the request.
Level 0
Certificates are verified by the system to which they belong. These types of certificates are also known as self-signed certificates.
Level 1
Certificates are authenticated by a Certificate Authority server that is separate from the system.
Levels 2 through 9
Certificates are authenticated by additional CA servers, which verify the authenticity of other servers. These multiple levels of authentication are referred to as certificate chains, and allow for a tiered verification system that ensures that only authorized communications occur between servers.
Import on to each BIG-IP system the trusted device certificates that are necessary to authenticate communications with other BIG-IP systems.
You can use the Configuration utility to view the certificate or certificate chain that is in the list of trusted device certificates.
1.
On the Main tab of the navigation pane, expand System, and click Device Certificates.
This displays the properties of the certificate.
2.
On the menu bar, click Trusted Device Certificates.
This displays the properties of any certificate or certificate chain signed by a trusted certificate authority (CA). If no trusted certificate exists, the value of the Subject property shows No certificate.
You import a trusted device certificate or certificate chain when you want to replace the existing certificate or certificate chain with a different certificate or certificate chain. Table 3.8 lists and describes the settings for importing a trusted device certificate or certificate chain.
Specifies whether you want to import a device certificate (Certificate) or a certificate/key pair (Certificate and Key).
Upload File
Displays the Browse button for you to specify the name of the certificate file you want to import.
Paste Text
Displays a text box into which you can paste the text of the device certificate.
1.
On the Main tab of the navigation pane, expand System and click Device Certificates.
This displays the properties of a self-signed certificate.
2.
On the menu bar, click Trusted Device Certificates.
This displays the properties of a CA-signed certificate.
4.
From the Import Method list, select either Append or Replace.
Note: Select Append if you want to append a certificate to an existing certificate or certificate chain. Select Replace if you want to replace a certificate or certificate chain with a new certificate or certificate chain.
5.
b)
Paste the text into the Certificate Source window.
6.
If the import method is Replace, then from the Certificate Source setting, click either Upload File or Paste Text:
If you click Upload File, type a file name or click Browse.
If you click Browse:
If you click Paste Text:
b)
Paste the text into the Certificate Source window.
7.
Click Import.
You export a trusted device certificate or certificate chain when you want to create a certificate file that you can migrate to another BIG-IP system. Table 3.4 lists and describes the settings for exporting a trusted device certificate or certificate chain.
Displays the text of the trusted device certificate you want to export. Note that you can copy this text to create a duplicate trusted device certificate.
Displays a button labeled Download <file_name> that you can use to copy the certificate to the BIG-IP system hard disk. An example of a Certificate File button is Download client.crt.
1.
On the Main tab of the navigation pane, expand System, and click Device Certificates.
This displays the properties of a self-signed certificate.
2.
If you want to export a CA-signed certificate, click Trusted Device Certificates on the menu bar.
3.
At the bottom of the screen, click Export.
The screen displays the text of the existing certificate.
4.
Next to the Certificate File setting, click Download <certificate_name>.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)