Documente Academic
Documente Profesional
Documente Cultură
Non-Diagnostic
Topic
This article applies to the Configuration utility. For information about using the TMOS Shell (tmsh), refer to
the following articles:
You should consider using this procedure under the following condition:
You want to manage new or existing Secure Sockets Layer (SSL) certificates for BIG-IP SSL profiles
using the Configuration utility.
Description
BIG-IP software offers features that allow you to control SSL traffic that is destined for BIG-IP virtual
servers. One of these, the SSL profile, adds the ability to maintain secure connections between the client
system and the BIG-IP system and between the BIG-IP system and a target web server. Before you can
configure an SSL profile, you must install one or more SSL certificates on the BIG-IP system. The SSL
certificate can be either a self-signed certificate or a trusted Certificate Authority (CA) certificate.
A self-signed SSL certificate is a certificate that is signed by its own private key. BIG-IP software includes a
self-signed SSL certificate named default, which the SSL profile can use to terminate SSL traffic. You can
also use the Configuration utility pages to create or renew additional self-signed certificates.
A CA certificate is an SSL certificate that is signed by a CA's private key. Using a CA certificate allows you
to replace the self-signed certificate on each BIG-IP system with a trusted CA certificate, which is a
certificate signed by a third party. Authenticating BIG-IP systems using trusted CA certificates is more
secure than using self-signed certificates. The Configuration utility provides a set of certificate management
pages that allow you to create certificate requests. The requests can then be sent to the CA for a signature.
Note: When renewing an SSL certificate from a CA, F5 recommends that you generate a new certificate
signing request (CSR) and private key. Although some CAs allow you to renew a certificate by using the
existing CSR on file, this method is less secure as it retains the existing private key. To generate a new
CSR, follow the procedure for Creating an SSL CSR and private key.
Prerequisites
Procedures
When managing SSL certificates on the BIG-IP system you may need to perform one or more of the
following tasks:
When working with new SSL certificates and keys you may need to perform one or more of the following
procedures.
A self-signed SSL certificate is one that is signed with the system's own private key. You can use self-
signed certificates for client- or server-side SSL processing; however, you normally use them for internal
testing.
Note: When using this procedure to create a new private key and certificate, you must choose a unique
name. F5 recommends appending the current year for easier accountability. For example, name the private
key and certificate example_2017.
Impact of procedure: Performing the following procedures should not have a negative impact on your
system.
2.
2. Navigate to System > Certificate Management > Traffic Certificate Management > SSL Certificate List
.
Note: For BIG-IP 12.x and earlier, navigate to System > File Management > SSL Certificate List.
3. Click Create.
4. Type a name for the certificate.
5. In the Issuer list, click Self.
6. Configure the Common Name setting and the other certificate settings.
7. Under Key Properties, configure an appropriate Key Type and Size.
8. Click Finished.
CA signed SSL certificates are typically valid for one or two years. To avoid warning messages
or connectivity issues that may be caused by expired SSL certificates, you must renew SSL certificates
before they expire. To renew a CA signed SSL certificate, perform the following procedure.
Note: For more information about monitoring SSL certificate expiration, refer to the following article:
K14318: Monitoring SSL certificate expiration on the BIG-IP system (11.x - 13.x).
Impact of procedure: Performing the following procedures should not have a negative impact on your
system.
Note: When using this procedure to generate a new CSR and private key, you must choose a unique name.
F5 recommends appending the current year for easier accountability. For example, name the CSR and
private key example_2017.
Note: For BIG-IP 12.x and earlier, navigate to System > File Management > SSL Certificate List.
3. Click Create.
4. Type a unique Name for the new SSL certificate and key.
5. In the Issuer list, click Certificate Authority.
6. Enter the required Common Name. This value is embedded in the certificate for name-based
authentication purposes, and is typically the fully-qualified domain name (FQDN) of the server (for
example, www.domain.com).
7. Configure other certificate settings.
8. Under Key Properties, configure an appropriate Key Type and Size.
9. Optional: If the BIG-IP system supports the FIPS hardware security module (HSM), specify the key
type (FIPS or Normal).
10. Click Finished.
11. To download the request into a file on your system, complete one of the following tasks:
Copy the certificate from the Request Text box.
Click the button in the Request File box.
12.
12. Click Finished.
13. After the CSR is signed and returned by the CA, continue to the next section, Importing an SSL
certificate.
Important: After you import the new SSL certificate and key, you must associate them with the
appropriate client SSL profile.
Certificate authorities typically send SSL certificates by email. You can include the certificate as an
attachment or embed it in the body of the email. You should copy and paste the certificate into a text file
using a text editor. The file should include the BEGIN CERTIFICATE and END CERTIFICATE lines and
contain no white space, extra line breaks, or additional characters. The text file should appear similar to the
following example:
-----BEGIN CERTIFICATE-----
[encoded data]
-----END CERTIFICATE-----
After you have saved the certificate to a text file, you can use the Configuration utility to import the
certificate. To do so, perform the following procedure:
Note: When using this procedure to import a new SSL certificate, you must choose a unique name. F5
recommends appending the current year for easier accountability. For example, name the SSL certificate
example_2017.
Impact of procedure: Performing the following procedures should not have a negative impact on your
system.
Note: For BIG-IP 12.x and earlier, navigate to System > File Management > SSL Certificate List.
3. Click Import.
4. In the Import Type list, click Certificate.
5. For Certificate Name, click Create New and type a name for the certificate, or click Overwrite Existing
to overwrite an existing certificate. and in the list, click the certificate file that you want to overwrite.
6. For Certificate Source, click Upload File and click Choose File to browse to the file location, or click
Paste Text and paste the certificate plain text into the text box.
7. Click Import.
You can use the following procedure to import an existing SSL private key.
Note: When using this procedure to import a new SSL key, you must choose a unique name. Consider
appending the current year for easier accountability. For example, name the SSL key example_2017.
Impact of procedure: Performing the following procedures should not have a negative impact on your
system.
Note: For BIG-IP 12.x and earlier, navigate to System > File Management > SSL Certificate List.
3. Click Import.
4. In the Import Type list, click Key.
5. For Key Name, click Create New and type a unique name for the key, or click Overwrite Existing to
overwrite an existing key, and in the list, click the key file that you want to overwrite.
6. For Key Source, click Upload File and click Choose File to browse to the file location, or click Paste
Text and paste the key plain text into the text box.
7. If you want to set a password for the key, in the Security Type list, click Password and type a
password in the Password box.
8. Click Import.
PKCS 12 is a specifically formatted archive file that is used for storing cryptographic objects in a single file.
The PKCS 12 file has an extension of .PFX and is compatible with Windows IIS. To import a PKCS 12 file,
perform the following steps:
Note: The BIG-IP system automatically converts PKCS 12 certificates to PEM format when the files are
imported.
Impact of procedure: Performing the following procedures should not have a negative impact on your
system.
Note: For BIG-IP 12.x and earlier, navigate to System > File Management > SSL Certificate List.
3. Click Import.
4. In the Import Type list, click PKCS 12 (IIS).
5. For Certificate Name, click Create New and type a name for the certificate, or click Overwrite Existing
to overwrite an existing certificate. and in the list, click the certificate file that you want to overwrite.
6. For Certificate Source, click Upload File and click Choose File to browse to the file location, or click
Paste Text and paste the certificate plain text into the text box.
7. If you want to set a password for the key, in the Key Security list, click Password and in type a
password in the Key Password box.
8.
8. Click Import.
A certificate revocation list (CRL) is a list of certificates that have been revoked. If you plan to upload the
CRL using the Paste Text option, you should copy and paste the certificate into a text file using a text editor.
The PEM CRL format uses the header and footer lines as follows:
To import a CRL file using the Configuration utility, perform the following procedure:
Impact of procedure: Performing the following procedures should not have a negative impact on your
system.
When working with existing SSL certificates and keys you may need to perform one or more of the following
procedures.
To manually monitor the expiration date for your SSL certificates, perform the following procedure:
Impact of procedure: Performing the following procedures should not have a negative impact on your
system.
Note: For BIG-IP 12.x and earlier, navigate to System > File Management > SSL Certificate List.
3. Review the Expiration column for the desired SSL certificates. The displayed date indicates the date
in which the SSL certificate expires.
Impact of procedure: Performing the following procedures should not have a negative impact on your
system.
Note: For BIG-IP 12.x and earlier, navigate to System > File Management > SSL Certificate List.
3. Click Archive.
4. Type a name for the archive file.
5. For Key List, in the Available Keys box, click the keys to include in the archive file and move them to
the Keys To Archive box.
6. For Certificate List, in the Available Certificates box, click the certificates to include in the archive file
and move them to the Certificates To Archive box.
7. Click Generate and Download Archive.
Note: You cannot delete certificates that are referenced by other elements in the system's configuration.
Impact of procedure: Performing the following procedure should not have a negative impact on your system.
Note: For BIG-IP 12.x and earlier, navigate to System > File Management > SSL Certificate List.
3. Select the check box next to the certificate you want to delete.
4. Click Delete.
5. Confirm the operation by clicking Delete.
Note: You cannot delete keys that are referenced by other elements in the system's configuration.
Impact of procedure: Performing the following procedure should not have a negative impact on your system.
Note: For BIG-IP 12.x and earlier, navigate to System > File Management > SSL Certificate List.
4.
4. Click the Key tab.
5. Click Delete.
Impact of procedure: Performing the following procedure should not have a negative impact on your system.
Note: For BIG-IP 12.x and earlier, navigate to System > File Management > SSL Certificate List.
Property Description
Displays the name that the BIG-IP system assigned to the certificate. The default value for a
Name
self-signed certificate is server.
Partition /
Displays the administrative partition in which the certificate is installed.
Path
Certificate Displays the values of the common name (CN) and organization embedded in the certificate.
Subjects The default value for a self-signed certificate is localhost.localdomain, MyCompany.
Public Key Displays the public key size (length) of the certificate, measured in bits.
Displays the expiration date for the certificate. The expiration date is embedded in the SSL
Expires
certificate for name-based authentication purposes.
Displays the version number of the X.509 certificate. An example of a certificate version
Version
number is 3.
Serial
Displays the unique serial number assigned to the certificate.
Number
Displays the values for the following data embedded in the certificate:
- Common Name
Subject - Organization
- Locality
- State or Province
- Country
Indicates whether the certificate is a self-signed certificate (Self) or a trusted CA certificate
Issuer
(Certificate Authority).
Subject
Specifies whether the certificate contains the subject alternative name (SAN) extension per
Alternative
RFC2459.
Name
Public Key
Displays the Public Key type. For example, RSA, DSA, or ECDSA.
Type
Viewing properties of an SSL private key
Impact of procedure: Performing the following procedure should not have a negative impact on your system.
Note: For BIG-IP 12.x and earlier, navigate to System > File Management > SSL Certificate List.
Property Description
Key Type Displays the type of key. For example, the RSA private key value is KTYPE_RSA_PRIVATE.
Partition /
Displays the administrative partition in which the key is installed.
Path
Displays the key length (512, 1024, or 2048) in bits. If the key size is less than 2048, the
Size
system displays an error message.
You can use the following procedure to renew an existing self-signed SSL certificate.
Impact of procedure: Performing the following procedure should not have a negative impact on your system.
Note: For BIG-IP 12.x and earlier, navigate to System > File Management > SSL Certificate List.
Note: Existing connections continue to use the old SSL certificate until the connections complete or are
renegotiated or until the Traffic Management Microkernel (TMM) is restarted.
When renewing an SSL certificate from a CA, F5 recommends that you generate a new CSR and private
key. Although some CAs allow you to renew a certificate by using the existing CSR on file, this method is
less secure as it retains the existing private key.
Impact of procedure: Performing the following procedure should not have any impact to the existing traffic
and new traffic will utilize the new certificate.
Note: For BIG-IP 12.x and earlier, navigate to System > File Management > SSL Certificate List.
When you import a renewed SSL certificate, you overwrite the existing certificate/key with the one you are
importing. The SSL profile then automatically uses the renewed certificate to encrypt the SSL sessions.
Important: Existing connections continue to use the old SSL certificate until the connection completes or are
renegotiated or until TMM is restarted.
Impact of procedure: Performing the following procedure should not have any impact to the existing traffic
and new traffic will utilize the new certificate.
Note: For BIG-IP 12.x and earlier, navigate to System > File Management > SSL Certificate List.
3. Click Import.
4. In the Import Type list, click Certificate.
5. For Certificate Name, click Overwrite Existing.
6. In the Certificate Name list, click the certificate to replace.
7. For Certificate Source, click either Upload File and browse to the file or Paste Text and paste plain
text into the box.
8. Click Import.
You export an SSL certificate and private key when you want to migrate the certificate/key pair to another
BIG-IP system.
Impact of procedure: Performing the following procedures should not have a negative impact on your
system.
SSL Certificate
Note: For BIG-IP 12.x and earlier, navigate to System > File Management > SSL Certificate List.
SSL Key
Note: For BIG-IP 12.x and earlier, navigate to System > File Management > SSL Certificate List.
3. Click the name of the certificate whose key you want to export.
4. Click the Key tab.
5. Click Export.
6. On the Certificate Export page, click Download.
Supplemental Information