Manual Chapter : SSL Certificate Management

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1

BIG-IP APM

  • 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1

BIG-IP Analytics

  • 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1

BIG-IP Link Controller

  • 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1

BIG-IP LTM

  • 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1

BIG-IP AFM

  • 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1

BIG-IP PEM

  • 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1

BIG-IP DNS

  • 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1

BIG-IP ASM

  • 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1
Manual Chapter

SSL Certificate Management

 

Supported certificate/key types

The BIG-IP® system supports multiple cipher suites when offloading SSL operations from a target server on the network. The BIG-IP system can support cipher suites that use these algorithms:

  • Rivest Shamir Adleman (RSA)
  • Elliptic Curve Digital Signature Algorithm (ECDSA)
  • Digital Signature Algorithm (DSA)

When you generate a certificate request or a self-signed certificate, you specify the type of private key, which determines the specific signing or encryption algorithm that is used to generate the private key.

Note: On the BIG-IP system, limits on SSL transactions per second (TPS) with RSA cipher suites vary according to key size.

About RSA certificates

RSA (Rivest Shamir Adleman) is the original encryption algorithm that is based on the concept of a public and a private key. When a public site attempts to communicate with a device such as the BIG-IP® system, the device sends the site a public key that the site uses to encrypt data before sending that data back to the device. The device uses its private key associated with the public key to decrypt the data. Only the private key can be used to decrypt data encrypted with the public key.

The RSA encryption algorithm includes an authentication mechanism.

Note: On the BIG-IP system, limits on SSL transactions per second (TPS) with RSA cipher suites vary according to key size.

About DSA certificates

DSA (Digital Signature Algorithm) uses a different algorithm for signing key exchange messages than that of RSA. DSA is paired with a key exchange method such as Diffie-Hellman or Elliptical Curve Diffie-Hellman to achieve a comparable level of security to RSA. Because DSA is generally endorsed by federal agencies, specifying a DSA key type makes it easier to comply with new government standards, such as those for specific key lengths.

About ECDSA certificates

When creating certificates on the BIG-IP® system, you can create a certificate with a key type of ECDSA (Elliptic Curve Digital Signature Algorithm). An ECDSA key is based on Elliptic Curve Cryptography (ECC), and provides better security and performance with significantly shorter key lengths.

For example, an RSA key size of 2048 bits is equivalent to an ECC key size of only 224 bits. As a result, less computing power is required, resulting in faster, more secure connections. Encryption based on ECC is ideally suited for mobile devices that cannot store large keys. The BIG-IP system supports both the prime256v1 and secp384r1 curve names.

About SSL certificate management

You can obtain a certificate for the BIG-IP system by using the BIG-IP® Configuration utility to generate a certificate signing request (CSR) that can then be submitted to a third-party trusted certificate authority (CA). The CA then issues a signed certificate.

In addition to requesting CA-signed certificates, you can create self-signed certificates. You create self-signed certificates primarily for testing purposes within an organization.

When you install the BIG-IP software, the application includes a default self-signed certificate. The BIG-IP system also includes a default CA bundle certificate. This certificate bundle contains certificates from most of the well-known CAs.

Note: To manage digital certificates for the BIG-IP system, you must have a role of Certificate Manager, Administrator, or Resource Administrator assigned to your BIG-IP user account.

Creating a self-signed digital certificate

If you are configuring the BIG-IP® system to manage client-side HTTP traffic, you perform this task to create a self-signed certificate to authenticate and secure the client-side HTTP traffic. If you are also configuring the system to manage server-side HTTP traffic, you must repeat this task to create a second self-signed certificate to authenticate and secure the server-side HTTP traffic.
 
If you are creating a CSR for the device certificate for managing the system, begin with step 2.
  1. For traffic CSRs (client SSL & server SSL profiles): On the Main tab, click System > File Management > SSL Certificate List .
    The SSL Certificate List screen opens. Proceed to step 3.
  2. For Device Certificate CSRs: On the Main tab, click System > File Management > SSL Certificate List . Proceed to step 3.
  3. Click Create.
  4. In the Name field, type a unique name for the SSL certificate.
  5. From the Issuer list, select Self.
  6. In the Common Name field, type a name.
    This is typically the name of a web site, such as www.siterequest.com.
  7. In the Division field, type your department name.
  8. In the Organization field, type your company name.
  9. In the Locality field, type your city name.
  10. In the or State or Province field, type your state or province name.
  11. From the Country list, select the name of your country.
  12. In the E-mail Address field, type your email address.
  13. In the Lifetime field, type a number of days, or retain the default, 365.
  14. In the Subject Alternative Name field, type a name.
    This name is embedded in the certificate for X509 extension purposes.
    By assigning this name, you can protect multiple host names with a single SSL certificate.
  15. From the Key Type list, select a key type.
    Possible values are: RSA, DSA, and ECDSA.
  16. From the Size or Curve Name list, select either a size, in bits, or a curve name.
  17. If the BIG-IP system contains an internal HSM module, specify a location for storing the private key.
  18. Click Finished.

Requesting a certificate from a certificate authority

You perform this task to generate a certificate signing request (CSR) that can then be submitted to a third-party trusted certificate authority (CA).
Note: F5 Networks recommends that you consult the CA to determine the specific information required for each step in this task.
  1. On the Main tab, click System > File Management > SSL Certificate List .
    The SSL Certificate List screen opens.
  2. Click Create.
  3. In the Name field, type a unique name for the SSL certificate.
  4. From the Issuer list, select Certificate Authority.
  5. In the Common Name field, type a name.
    This is typically the name of a web site, such as www.siterequest.com.
  6. In the Division field, type your department name.
  7. In the Organization field, type your company name.
  8. In the Locality field, type your city name.
  9. In the or State or Province field, type your state or province name.
  10. From the Country list, select the name of your country.
  11. In the E-mail Address field, type your email address.
  12. In the Lifetime field, type a number of days, or retain the default, 365.
  13. In the Subject Alternative Name field, type a name.
    This name is embedded in the certificate for X509 extension purposes.
    By assigning this name, you can protect multiple host names with a single SSL certificate.
  14. In the Challenge Password field, type a password.
  15. In the Confirm Password field, re-type the password you typed in the Challenge Password field.
  16. From the Key Type list, select a key type.
    Possible values are: RSA, DSA, and ECDSA.
  17. From the Size or Curve Name list, select either a size, in bits, or a curve name.
  18. If the BIG-IP system contains an internal HSM module, specify a location for storing the private key.
  19. Click Finished.
    The Certificate Signing Request screen displays.
  20. Do one of the following to download the request into a file on your system.
    • In the Request Text field, copy the certificate.
    • For Request File, click the button.
  21. Follow the instructions on the relevant certificate authority web site for either pasting the copied request or attaching the generated request file.
  22. Click Finished.
    The Certificate Signing Request screen displays.
The generated certificate signing request is submitted to a trusted certificate authority for signature.

About SSL file import

You can import several types of SSL files onto the BIG-IP system.

Importing a certificate signed by a certificate authority

Before performing this task, confirm that a digital certificate signed by a certificate authority (CA) is available.
You can install an SSL certificate signed by a CA by importing a certificate that already exists on the hard drive of the management workstation. You can import a private key, a certificate or certificate bundle, or an archive.
  1. On the Main tab, click System > File Management > SSL Certificate List .
    The SSL Certificate List screen opens.
  2. Click the Import button.
  3. From the Import Type list, select Certificate.
  4. For the Certificate Name setting, do one of the following:
    • Select the Create New option, and type a unique name in the field.
    • Select the Overwrite Existing option, and select a certificate name from the list.
  5. For the Certificate Source setting, do one of the following:
    • Select the Upload File option, and browse to the location of the certificate file.
    • Select the Paste Text option, and paste the certificate text copied from another source.
  6. Click Import.
After you perform this task, the SSL certificate that was signed by a CA is installed.

Importing an SSL key

You can use the BIG-IP® Configuration utility to import an SSL key onto the BIG-IP system from another location.
  1. On the Main tab, click System > File Management > SSL Certificate List .
    The SSL Certificate List screen opens.
  2. Click the Import button.
  3. From the Import Type list, select Key.
  4. For the Key Name setting, do one of the following:
    • Select the Create New option, and type a unique name in the field.
    • Select the Overwrite Existing option, and select a certificate name from the list.
  5. For the Key Source setting, do one of the following:
    • Select the Upload File option, and browse to the location of the key file.
    • Select the Paste Text option, and paste the key text copied from another source.
  6. In the Password field, type the password associated with the import source.
  7. from the Security Type list, select a security type.
  8. Click Import.
After you perform this task, the BIG-IP system imports the specified key.

Importing a PKCS-formatted file

You can use the BIG-IP® Configuration utility to import file onto the BIG-IP system that is in Public Key Cryptography Standards (PKCS) number 12 format.
  1. On the Main tab, click System > File Management > SSL Certificate List .
    The SSL Certificate List screen opens.
  2. Click the Import button.
  3. From the Import Type list, select PKCS 12 (IIS).
  4. For the Certificate Name setting, type a certificate name.
  5. For the Certificate Source setting, click Browse and locate the source file.
  6. In the Password field, type the password associated with the import source.
  7. from the Security Type list, select a security type.
  8. Click Import.
After you perform this task, the BIG-IP system imports the specified PKCS 12-formatted file.

Importing an archive file

You can use the BIG-IP® Configuration utility to upload an archive file onto the BIG-IP system.
  1. On the Main tab, click System > File Management > SSL Certificate List .
    The SSL Certificate List screen opens.
  2. Click the Import button.
  3. For the Upload Archive File setting, click Browse and select the file to be imported.
  4. Click the Load button.
After you perform this task, the BIG-IP system uploads an archive file onto the BIG-IP system.

Exporting an SSL certificate

You perform this task to export an SSL certificate to another device.
  1. On the Main tab, click System > File Management > SSL Certificate List .
    The SSL Certificate List screen opens.
  2. Click the name of the certificate you want to export.
    The General Properties screen displays.
  3. Click Export.
    The Certificate Export screen displays the contents of the certificate in the Certificate Text box.
  4. To obtain the certificate, do one of the following:
    • Copy the text from the Certificate Text field, and paste it as needed into an interface on another system.
    • At the Certificate File option, click Download filename where filename is the name of the certificate file, such as mycert.crt.

Viewing a list of certificates on the system

You can perform this task to view a list of existing digital certificates on the BIG-IP® system.

  1. On the Main tab, click System > File Management > SSL Certificate List .
    The SSL Certificate List screen opens.
  2. In the Name column, view the list of certificates on the system.

Digital certificate properties

When you use the BIG-IP® Configuration utility to view the list of digital certificates that you have installed on the BIG-IP® system, you can see information for each certificate.

Property Description
Certificate The name of the certificate.
Content The type of certificate content, for example, Certificate Bundle or Certificate and Key.
Common name The common name (CN) for the certificate. The common name embedded in the certificate is used for name-based authentication. The default common name for a self-signed certificate is localhost.localdomain.
Expiration date The date that the certificate expires. If the certificate is a bundle, this information shows the range of expiration dates that apply to certificates in the bundle.
Organization The organization name for the certificate. The organization name embedded in the certificate is used for name-based authentication. The default organization for a self-signed certificate is MyCompany.