Applies To:

Show Versions Show Versions

Manual Chapter: Managing SSL Certificates for Local Traffic
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Before systems on a network can authenitcate one another using SSL, you must install one or more SSL certificates on the BIG-IP system. An SSL certificate is an SSL certificate that a BIG-IP system device presents to another device on the network, for authentication purposes. An SSL certificate can be either a self-signed certificate or a trusted CA certificate.
When you install BIG-IP® software, the application includes a self-signed SSL certificate named Default. A self-signed certificate is an authentication mechanism that is created and authenticated by the system on which it resides.
If your network includes one or more certificate authority (CA) servers, you can replace the self-signed certificate on each BIG-IP system with a trusted CA certificate, that is, a certificate that is signed by a third party. Autthenticating BIG-IP systems using trusted CA certificates is more secure than using self-signed certificates.
To ease the task of creating certificate requests and sending them to certificate authorities for signature, the BIG-IP system provides a set of certificate management screens within the Configuration utility. You access these certificate management screens from the Local Traffic section of the Configuration utility.
On the Main tab of the navigation pane, expand Local Traffic, and click SSL certificates.
Certificate name
The name of the certificate.
Content
The type of certificate content, for example, Certificate Bundle or Certificate & Key.
Common name
The common name (CN) for the certificate. The common name embedded in the certificate is used for name-based authentication. The default common name for a self-signed certificate is localhost.localdomain.
Expiration date
The date that the certificate expires. If the certificate is a bundle, this information shows the range of expiration dates that apply to certificates in the bundle.
Organization
The organization name for the certificate. The organization name embedded in the certificate is used for name-based authentication.The default organization for a self-signed certificate is MyCompany.
You must install certificates onto the BIG-IP® system when you want BIG-IP® Local Traffic ManagerTM to terminate or initiate SSL traffic. After you install a certificate and private key, you create an SSL profile that references that certificate and key.
You can install multiple certificates and keys on the BIG-IP system. This allows each SSL profile that you create to reference a different certificate and key if necessary.
Using the Configuration utility, you can either generate a self-signed certificate (usually used for internal test purposes only) or you can generate a certificate and submit it to a trusted certificate authority for signature. When you send a certificate and a request for signature to a certificate authority, the certificate authority returns a signed certificate.
You can copy the text of the newly-generated request from the Configuration utility screen and give it to the certificate authority (using cut and paste).
The way to transmit the request to a certificate authority (either through pasting the text or through a file attachment) is by accessing the certificate authoritys web site. The Configuration utility screen for submitting a request for signature by a certificate authority includes links to various certificate authority web sites.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click SSL Certificates.
This displays the SSL Certificates screen.
4.
For the Issuer setting, select Self.
5.
Configure the Common Name setting, and any other settings you want.
7.
Click Finished.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click SSL Certificates.
This displays the SSL Certificates screen.
4.
In the Issuer box, select Certificate Authority.
5.
Configure the Common Name setting (required).
This value is embedded in a certificate for name-based authentication purposes.
a)
Specifying the key size (512, 1024, or 2048).
b)
8.
Click Finished.
This displays your certificate request.
Click the button in the Request File box.
10.
In the Certificate Authorities box, click a certificate authority name.
This displays the web site for the certificate authority.
11.
Follow the instructions on the web site for either pasting the copied request or attaching the generated request file.
12.
Click Finished.
You can use the Configuration utility to install a SSL certificate that already exists on the system hard drive. Installing an existing certificate is known asn importing the certificate. When you import a certificate, the certificate appears on the Certificate List screen. You can import a private key, a certificate or certificate bundle, or an archive.
Table 9.1 lists and describes the settings that you configure to import a private key file.
Specifies whether you want to import an SSL key, certificate, PKCS 12 (IIS) file, or certificate archive. Possible values are Key, Certificate, PKCS 12 (IIS), and Archive.
When you select an import type of Key, displays the name of the SSL key. This setting only appears when you select Key from the Import Type list.You cannot change this value when importing an SSL key.
Specifies the source of the device key you are importing. This setting only appears when you select Key from the Import Type list. Possible values are:
Upload File
Displays the Browse button for you to specify the name of the key file you want to import.
Paste Text
Displays a text box into which you can paste the text of the device key.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click SSL certificates.
This displays the list of certificates installed on the system.
3.
From the Import Type list, select Key.
4.
For the Key Name setting, click Create New.
5.
In the Key Name box, type a name for the key.
6.
From the Key Source setting, click either Upload File or Paste Text. If you click:
a)
Upload File, type a file name or click Browse and select a file.
b)
Paste Text, copy the text from another source, and paste the text into the Key Source window.
7.
Click Import.
Table 9.2 lists and describes the settings that you configure to import an existing certificate file.
Specifies whether you want to import an SSL key, certificate, PKCS 12 (IIS) file, or certificate archive. Possible values are Key, Certificate, PKCS 12 (IIS), and Archive.
When you select an import type of Certificate, displays the name of the SSL certificate. This setting only appears when you select Certificate or PKCS 12 (IIS) from the Import Type list. You cannot change this value when importing an SSL certificate.
Specifies the source of the SSL certificate you are importing. This setting only appears when you select Certificate or PKCS 12 (IIS) from the Import Type list.
If you select Certificate, the possible values are:
Upload File
Displays the Browse button for you to specify the name of the certificate file you want to import.
Paste Text
Displays a text box into which you can paste the text of the SSL certificate.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click SSL certificates.
This displays the list of certificates installed on the system.
3.
From the Import Type list, select Certificate.
4.
For the Certificate Name setting, click Create New.
5.
In the Certificate Name box, type a name for the certificate.
6.
From the Certificate Source setting, click either Upload File or Paste Text. If you click:
a)
Upload File, type a file name or click Browse and select a file.
b)
Paste Text, copy the text from another source and paste the text into the Certificate Source window.
7.
Click Import.
Table 9.3 lists and describes the settings that you configure to import a certificate that is formatted as a PKCS 12 (IIS) file.
Specifies whether you want to import an SSL key, certificate, PKCS 12 (IIS) file, or certificate archive. Possible values are Key, Certificate, PKCS 12 (IIS), and Archive.
When you select an import type of PKCS 12 (IIS), displays the name of the PKCS 12 (IIS) file. This setting only appears when you select Certificate or PKCS 12 (IIS) from the Import Type list. You cannot change this value when importing a PKCS 12 (IIS) file.
Specifies the source of the PKCS 12 (IIS) file you are importing. This setting only appears when you select Certificate or PKCS 12 (IIS) from the Import Type list.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click SSL certificates.
This displays the list of certificates installed on the system.
3.
From the Import Type list, select PKCS 12 (IIS).
4.
For the Certificate Name setting, type a name.
5.
From the Certificate Source setting, click Browse and select a file name.
6.
In the Password box, type the password associated with the certificate source.
7.
Click Import.
Table 9.4 lists and describes the settings that you configure to import an archive file.
Specifies whether you want to import an SSL key, certificate, PKCS 12 (IIS) file, or certificate archive. Possible values are Key, Certificate, PKCS 12 (IIS), and Archive.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click SSL certificates.
This displays the list of existing SSL certificates.
3.
From the Import Type list, select Archive.
4.
For the Upload Archive File setting, click Browse and select a file name.
5.
Click Load
1.
On the Main tab of the navigation pane, expand System and click SSL certificates.
This displays the properties of a self-signed certificate.
2.
3.
On the bottom of the screen, click Archive.
The certificates you selected in step 2 appear in the Keys to Archive and Certificates to Archive boxes.
4.
In the Archive File Name box, type a unique name for the archive.
5.
If you want to change the list of keys and certificates to be included in the archive, use the Key List and Certificate List settings to move key and certificate names to or from the Available boxes.
6.
In the Archive File setting, click the Generate & Download Archive button.
Click the Delete button to open the Confirm Delete screen, where you can permanently remove the selected certificates from the configuration. Note that you cannot delete certificates that are referenced by other elements in the system's configuration.
1.
On the Main tab of the navigation pane, expand System and click SSL certificates.
This displays the properties of a self-signed certificate.
3.
On the bottom of the screen, click Delete.
A confirmation screen appears.
4.
Click Delete.
You can use the Configuration utility to view information about an SSL certificate and its key that you have installed on the BIG-IP system.
Table 9.5 shows the properties of the certificate portion of a certificate/key pair.
Displays the values of the common name (CN) and organization embedded in the certificate. The default value for a self-signed certificate is localhost.localdomain, MyCompany.
Indicates whether the certificate is a self-signed certificate (Self) or a trusted CA certificate (Certificate Authority).
1.
On the Main tab of the navigation pane, expand Local Traffic, and click SSL Certificates.
This opens the SSL Certificates screen and lists all certificates installed on the BIG-IP system.
2.
In the Name column, click a certificate name.
This displays the properties of that certificate.
Table 9.6 lists and describes the properties of a private key.
Displays the type of device key. An example of a device key type is KTYPE_RSA_PRIVATE.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click SSL Certificates.
This opens the SSL Certificates screen and lists all certificates installed on the BIG-IP system.
2.
In the Name column, click a certificate name.
This displays the properties of that certificate.
3.
On the menu bar, click Key.
This displays the type and size of the key that is associated with the certificate.
You can use the Configuration utility to replace an SSL certificate or certificate/key pair with another one. To replace a certificate, you can display the properties of a certificate and then click Import. For information on displaying certificate properties, see Viewing certificate and key properties.
Table 9.7 lists and describes the settings for replacing an SSL certificate.
Specifies whether you want to import an SSL certificate (Certificate) or a certificate/key pair (Certificate and Key).
Upload File
Displays the Browse button for you to specify the name of the certificate file you want to import.
Paste Text
Displays a text box into which you can paste the text of the SSL certificate.
Specifies the source of the device key you are importing. This setting only appears when you select Certificate and Key from the Import Type list. Possible values are:
Upload File
Displays the Browse button for you to specify the name of the key file you want to import.
Paste Text
Displays a text box into which you can paste the text of the device key.
1.
On the Main tab of the navigation pane, expand Local Traffic and click SSL certificates.
This displays a list of certificates installed on the system.
2.
At the bottom of the screen, click Import.
This displays the screen for importing either a certificate.
3.
From the Certificate Source setting, click either Upload File or Paste Text:
If you click Upload File, type a file name, or click Browse and select a file.
If you click Paste Text:
b)
Paste the text into the Certificate Source window.
4.
Click Import.
1.
On the Main tab of the navigation pane, expand System and click SSL certificates.
This displays the properties of a self-signed certificate.
2.
At the bottom of the screen, click Import.
This displays the screen for importing either a certificate, or a certificate and key.
3.
From the Key Source setting, click either Upload File or Paste Text:
If you click Upload File, type a file name, or click Browse.
If you click Browse and select a file.
If you click Paste Text:
b)
Paste the text into the Key Source window.
4.
Click Import.
Table 9.8 shows the subject information you can modify, along with the key size.
Indicates whether the certificate is a self-signed certificate (Self) or a trusted CA certificate (Certificate Authority).
Specifies the common name (CN) for the certificate. The common name embedded in the certificate is used for name-based authentication. The default common name for a self-signed certificate is localhost.localdomain.
Specifies the organization name for the certificate. The organization name embedded in the certificate is used for name-based authentication.The default organization for a self-signed certificate is MyCompany.
Specifies the name of the state or province for the certificate. The state or province name embedded in the certificate is used for name-based authentication.
Specifies the challenge password that you want the Certificate Authority to use. The Certificate Authority uses the challenge password to access the signing request created for this certificate. This property only appears when the Issuer property is set to Certificate Authority.
Specifies the password you typed in the Challenge Password setting. This property only appears when the Issuer setting is set to Certificate Authority.
For self-signed certificates only, specifies the interval for which the self-signed certificate is valid. The default is 365 days. The maximum is 25 years (9,125 days). This property only appears when the Issuer setting is set to Self.
1.
On the Main tab of the navigation pane, expand System and click SSL certificates.
This displays the properties of the SSL certificate.
2.
At the bottom of the screen, click Renew.
This displays the screen for renewing the certificate.
4.
Click Finished.
You export an SSL certificate and private key when you want to create certificate and key files that you can migrate to another BIG-IP system.
Table 9.9 lists and describes the settings for exporting an SSL certificate.
Displays the text of the SSL certificate you want to export. Note that you can copy this text to create a duplicate SSL certificate.
Displays a button labeled Download <file_name> that you can use to copy the certificate to the BIG-IP system hard disk. An example of a Certificate File button is Download default.crt.
1.
On the Main tab of the navigation pane, expand Local Traffic and click SSL certificates.
This displays a list of certificates installed on the system.
3.
At the bottom of the screen, click Export.
This displays the existing SSL certificate in the Certificate Text box.
4.
From the Certificate File setting, click the Download <file_name> button.
Table 9.9 lists and describes the settings for exporting a private key.
Displays the text of the private key you want to export. Note that you can copy this text to create a duplicate SSL key.
Displays a button labeled Download <file_name> that you can use to copy the key to the BIG-IP system hard disk. An example of a Key File button is Download default.key.
1.
On the Main tab of the navigation pane, expand Local Traffic and click SSL certificates.
This displays a list of certificates installed on the system.
4.
At the bottom of the screen, click Export.
This displays the existing private key in the Key Text box.
5.
From the Key File setting, click the Download <file_name> button.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)