Manual Chapter : Key Management

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 13.0.1, 13.0.0

BIG-IP APM

  • 13.0.1, 13.0.0

BIG-IP LTM

  • 13.0.1, 13.0.0

BIG-IP AFM

  • 13.0.1, 13.0.0

BIG-IP DNS

  • 13.0.1, 13.0.0

BIG-IP ASM

  • 13.0.1, 13.0.0
Manual Chapter

About managing FIPS keys using the BIG-IP Configuration utility

You can use the BIG-IP® Configuration utility to create FIPS keys, import existing FIPS keys into a hardware security module (HSM), and convert existing keys into FIPS keys.

Existing FIPS keys (.exp files) can only be imported into an HSM that possesses the same Master Symmetric key used when the FIPS keys were exported. The Symmetric Master Key is used to encrypt SSL private keys as they are exported from an HSM. Therefore, only the same Master Symmetric key can be used to decrypt the SSL private keys as they are imported into the HSM.

Note: Import of FIPS keys is supported if the F5® system uses the same Master Symmetric key that was used to export the FIPS keys.

Creating FIPS keys using the BIG-IP Configuration utility

You can use the BIG-IP® Configuration utility to create FIPS keys.
  1. On the Main tab, click System > File Management > SSL Certificate List .
    This displays the list of certificates installed on the system.
  2. Click Create.
    The New SSL Certificate screen opens.
  3. In the Name field, type a unique name for the certificate.
  4. From the Issuer list, specify the type of certificate that you want to use.
    • To request a certificate from a CA, select Certificate Authority.
    • For a self-signed certificate, select Self.
  5. Configure the Common Name setting and any other settings as needed.
  6. In the Key Properties area, select a key size from the Size list.
  7. From the Security Type list, select FIPS.
  8. Click Finished.

Importing keys using the BIG-IP Configuration utility

You can use the BIG-IP® Configuration utility to import existing keys into the system.
  1. On the Main tab, click System > File Management > SSL Certificate List .
    This displays the list of certificates installed on the system.
  2. Click Import.
  3. From the Import Type list, select Key.
  4. For the Key Name setting, click Create New.
  5. In the Key Name field, type a name for the key.
  6. From the Key Source setting, click either Upload File or Paste Text.
    • If you click Upload File, type a file name or click Browse and select a file.
    • If you click Paste Text, copy the text from another source and paste the text into the Key Source screen.
  7. Click Import.
After you import the key, you can convert it to a FIPS key.

Converting a key to FIPS using the BIG-IP Configuration utility

You can use the BIG-IP® Configuration utility to convert an existing key to a FIPS key.
  1. On the Main tab, click System > File Management > SSL Certificate List .
    This displays the list of certificates installed on the system.
  2. Click a certificate name.
    This displays the properties of that certificate.
  3. On the menu bar, click Key.
    This displays the type and size of the key associated with the certificate.
  4. Click Convert to FIPS to convert the key to a FIPS key.
    The key is converted and appears in the list as a FIPS key. After the key is converted, this process cannot be reversed.

About managing FIPS keys using tmsh

You can use the Traffic Management Shell (tmsh) to create FIPS keys, import existing keys into an F5® system, and convert existing keys to FIPS keys.

Creating FIPS keys using tmsh

You can use the Traffic Management Shell (tmsh) to create FIPS keys.
  1. Log in to the command line of the system using an account with root access.
  2. Open the Traffic Management Shell (tmsh).
    tmsh
  3. Create a basic key.
    create sys crypto key <key_object_name> security-type fips
    For information about additional options for this command, view the sys crypto key man page: help sys crypto key
    Note: The key creation process takes a few minutes to complete.
  4. Optional: View information about the generated key.
    list sys crypto key <key_object_name>

Importing FIPS keys using tmsh

You can use the Traffic Management Shell (tmsh) to import existing keys into the system.
  1. Log in to the command line of the system using an account with root access.
  2. Open the Traffic Management Shell (tmsh).
    tmsh
  3. Import a key.
    install sys crypto key <key_object_name> from-local-file <path_to_key_file> security-type fips
    This example imports a FIPS key named mykey from a local key file stored in the /shared/tmp directory: install sys crypto key mykey from-local-file /shared/tmp/mykey.exp security-type fips

Converting a key to FIPS using tmsh

You can use the Traffic Management Shell (tmsh) to convert a key to a FIPS key.
  1. Log in to the command line of the system using an account with root access.
  2. Open the Traffic Management Shell (tmsh).
    tmsh
  3. Convert an existing key to FIPS.
    install sys crypto key <key_object_name> from-local-file <key_file_path> security-type fips

Listing FIPS keys in the HSM using tmsh

You can use the Traffic Management Shell (tmsh) to list the FIPS keys in the hardware security module (HSM).
  1. Log in to the command line of the system using an account with root access.
  2. Open the Traffic Management Shell (tmsh).
    tmsh
  3. List the keys in the HSM.
    tmsh show sys crypto fips key
    A summary similar to this example displays:
                                  
    -------------------------------------------
    FIPS 140 Hardware Device
    -------------------------------------------
    === private keys (2)
    ID                                      MOD.LEN(bits)
    dd83774207ea554ba1192439de75e1c1        2048
            /Common/testkey1.key
    d750c989e6afeb5ac8ca8aec2b93461b        1024
            /Common/testkey2.key
    
                               
    

Listing FIPS keys in the F5 software configuration using tmsh

You can use the Traffic Management Shell (tmsh) to list the FIPS keys in the F5® software configuration.
  1. Log in to the command line of the system using an account with root access.
  2. Open the Traffic Management Shell (tmsh).
    tmsh
  3. List the keys in the hardware security module (HSM).
    tmsh list sys crypto key
    A summary similar to this example displays:
                                  
    sys crypto key default.key {
        key-size 1024
        key-type rsa-private
        security-type normal
    }
    sys crypto key testkey2.key {
        key-id d750c989e6afeb5ac8ca8aec2b93461b
        key-size 1024
        key-type rsa-private
        security-type fips
    }
    sys crypto key testkey1.key {
        key-id dd83774207ea554ba1192439de75e1c1
        key-size 2048
        key-type rsa-private
        security-type fips
    }
                               
    

Deleting a key from the F5 software configuration and HSM using tmsh

You can use the Traffic Management Shell (tmsh) to delete a key from the F5® software configuration and the hardware security module (HSM).
  1. Log in to the command line of the system using an account with root access.
  2. Open the Traffic Management Shell (tmsh).
    tmsh
  3. Delete a specified key.
    delete sys crypto key <key_object_name>

Supported FIPS key sizes

These are the supported key sizes for F5® FIPS platforms.

FIPS platform Supported key sizes (bits)
5000 1024, 2048, 4096
   
7000 1024/2048, 4096
   
10200 1024, 2048, 4096
10350 2048
   
   

Additional FIPS platform management tmsh commands

This table lists additional tmsh commands that you can use to manage your FIPS platform.

Command Description
show sys crypto fips key Lists information about FIPS keys stored in the FIPS card, including FIPS key ID, length, type, and key objects.
list sys crypto key Lists keys in the F5® software configuration.
delete sys crypto fips key <key-id> Deletes a FIPS key from the FIPS card only.