K14620 - Manage SSL Certificate

K14620: Managing SSL certificates for BIG-IP systems using the Configuration utility
Non-Diagnostic
Original Publication Date: Sep 24, 2013
Update Date: Jun 29, 2018
Topic
This article applies to the Configuration utility. For information about using the TMOS Shell (tmsh), refer to
the following articles:
K15462: Managing SSL certificates for BIG-IP systems using tmsh
You should consider using this procedure under the following condition:
You want to manage new or existing Secure Sockets Layer (SSL) certificates for BIG-IP SSL profiles
using the Configuration utility.
Description
BIG-IP software offers features that allow you to control SSL traffic that is destined for BIG-IP virtual
servers. One of these, the SSL profile, adds the ability to maintain secure connections between the client
system and the BIG-IP system and between the BIG-IP system and a target web server. Before you can
configure an SSL profile, you must install one or more SSL certificates on the BIG-IP system. The SSL
certificate can be either a self-signed certificate or a trusted Certificate Authority (CA) certificate.
A self-signed SSL certificate is a certificate that is signed by its own private key. BIG-IP software includes a
self-signed SSL certificate named default, which the SSL profile can use to terminate SSL traffic. You can
also use the Configuration utility pages to create or renew additional self-signed certificates.
A CA certificate is an SSL certificate that is signed by a CA's private key. Using a CA certificate allows you
to replace the self-signed certificate on each BIG-IP system with a trusted CA certificate, which is a
certificate signed by a third party. Authenticating BIG-IP systems using trusted CA certificates is more
secure than using self-signed certificates. The Configuration utility provides a set of certificate management
pages that allow you to create certificate requests. The requests can then be sent to the CA for a signature.
Note: When renewing an SSL certificate from a CA, F5 recommends that you generate a new certificate
signing request (CSR) and private key. Although some CAs allow you to renew a certificate by using the
existing CSR on file, this method is less secure as it retains the existing private key. To generate a new
CSR, follow the procedure for Creating an SSL CSR and private key.
Prerequisites
You must meet the following prerequisite to use this procedure:

You have Administrator or Certificate Manager role access to the Configuration utility.
Procedures
When managing SSL certificates on the BIG-IP system you may need to perform one or more of the
following tasks:
Working with new SSL certificates/keys
Creating a self-signed SSL certificate

Creating an SSL CSR and private key
Importing an SSL certificate
Importing an SSL private key
Importing a PKCS 12 (IIS) file
Importing a CRL
Working with existing SSL certificates/keys
Monitoring SSL certificate expiration

Generating and downloading a certificate/key archive file
Deleting an SSL certificate
Deleting an SSL private key
Viewing properties of a certificate
Viewing properties of a private key
Renewing a self-signed certificate/key
Renewing a certificate from a CA
Importing a renewed SSL certificate
Exporting an SSL certificate and private key
Working with new SSL certificates/keys
When working with new SSL certificates and keys you may need to perform one or more of the following
procedures.
Creating a self-signed SSL certificate
A self-signed SSL certificate is one that is signed with the system's own private key. You can use self-
signed certificates for client- or server-side SSL processing; however, you normally use them for internal
testing.
Note: When using this procedure to create a new private key and certificate, you must choose a unique
name. F5 recommends appending the current year for easier accountability. For example, name the private
key and certificate example_2017.
Impact of procedure: Performing the following procedures should not have a negative impact on your
system.
1. Log in to the Configuration utility.
2.
2. Navigate to System > Certificate Management > Traffic Certificate Management > SSL Certificate List
.
Note: For BIG-IP 12.x and earlier, navigate to System > File Management > SSL Certificate List.
3. Click Create.
4. Type a name for the certificate.
5. In the Issuer list, click Self.
6. Configure the Common Name setting and the other certificate settings.
7. Under Key Properties, configure an appropriate Key Type and Size.
8. Click Finished.
Creating an SSL CSR and private key
CA signed SSL certificates are typically valid for one or two years. To avoid warning messages
or connectivity issues that may be caused by expired SSL certificates, you must renew SSL certificates
before they expire. To renew a CA signed SSL certificate, perform the following procedure.
Note: For more information about monitoring SSL certificate expiration, refer to the following article:
K14318: Monitoring SSL certificate expiration on the BIG-IP system (11.x - 13.x).
system.
Note: When using this procedure to generate a new CSR and private key, you must choose a unique name.
F5 recommends appending the current year for easier accountability. For example, name the CSR and
private key example_2017.

.
3. Click Create.
4. Type a unique Name for the new SSL certificate and key.
5. In the Issuer list, click Certificate Authority.
6. Enter the required Common Name. This value is embedded in the certificate for name-based
authentication purposes, and is typically the fully-qualified domain name (FQDN) of the server (for
example, www.domain.com).
7. Configure other certificate settings.
8. Under Key Properties, configure an appropriate Key Type and Size.
9. Optional: If the BIG-IP system supports the FIPS hardware security module (HSM), specify the key
type (FIPS or Normal).
10. Click Finished.
11. To download the request into a file on your system, complete one of the following tasks:
Copy the certificate from the Request Text box.
Click the button in the Request File box.
12.
12. Click Finished.
13. After the CSR is signed and returned by the CA, continue to the next section, Importing an SSL
certificate.
Important: After you import the new SSL certificate and key, you must associate them with the
appropriate client SSL profile.
Importing an SSL certificate
Certificate authorities typically send SSL certificates by email. You can include the certificate as an
attachment or embed it in the body of the email. You should copy and paste the certificate into a text file
using a text editor. The file should include the BEGIN CERTIFICATE and END CERTIFICATE lines and
contain no white space, extra line breaks, or additional characters. The text file should appear similar to the
following example:
-----BEGIN CERTIFICATE-----
[encoded data]
-----END CERTIFICATE-----
After you have saved the certificate to a text file, you can use the Configuration utility to import the
certificate. To do so, perform the following procedure:
Note: When using this procedure to import a new SSL certificate, you must choose a unique name. F5
recommends appending the current year for easier accountability. For example, name the SSL certificate
example_2017.
system.

.
3. Click Import.
4. In the Import Type list, click Certificate.
5. For Certificate Name, click Create New and type a name for the certificate, or click Overwrite Existing
to overwrite an existing certificate. and in the list, click the certificate file that you want to overwrite.
6. For Certificate Source, click Upload File and click Choose File to browse to the file location, or click
Paste Text and paste the certificate plain text into the text box.
7. Click Import.
Importing an SSL private key
You can use the following procedure to import an existing SSL private key.
Note: When using this procedure to import a new SSL key, you must choose a unique name. Consider
appending the current year for easier accountability. For example, name the SSL key example_2017.
system.

.
3. Click Import.
4. In the Import Type list, click Key.
5. For Key Name, click Create New and type a unique name for the key, or click Overwrite Existing to
overwrite an existing key, and in the list, click the key file that you want to overwrite.
6. For Key Source, click Upload File and click Choose File to browse to the file location, or click Paste
Text and paste the key plain text into the text box.
7. If you want to set a password for the key, in the Security Type list, click Password and type a
password in the Password box.
8. Click Import.
Importing a PKCS 12 (IIS) file
PKCS 12 is a specifically formatted archive file that is used for storing cryptographic objects in a single file.
The PKCS 12 file has an extension of .PFX and is compatible with Windows IIS. To import a PKCS 12 file,
perform the following steps:
Note: The BIG-IP system automatically converts PKCS 12 certificates to PEM format when the files are
imported.
system.

.
3. Click Import.
4. In the Import Type list, click PKCS 12 (IIS).
5. For Certificate Name, click Create New and type a name for the certificate, or click Overwrite Existing
to overwrite an existing certificate. and in the list, click the certificate file that you want to overwrite.
6. For Certificate Source, click Upload File and click Choose File to browse to the file location, or click
Paste Text and paste the certificate plain text into the text box.
7. If you want to set a password for the key, in the Key Security list, click Password and in type a
password in the Key Password box.
8.
8. Click Import.
Importing a CRL (BIG-IP 11.x - 12.x)
A certificate revocation list (CRL) is a list of certificates that have been revoked. If you plan to upload the
CRL using the Paste Text option, you should copy and paste the certificate into a text file using a text editor.
The PEM CRL format uses the header and footer lines as follows:
-----BEGIN X509 CRL-----

[encoded data]

-----END X509 CRL-----
To import a CRL file using the Configuration utility, perform the following procedure:
system.

2. Navigate to System > File Management > SSL Certificate List.
3. Click Import.
4. In the Import Type list, click Certificate Revocation List.
5. For Certificate Revocation List Name, type a name for the file.
6. For Certificate Revocation List Source, click either Upload File or Paste Text.
7. Click Import.
Working with existing SSL certificates and keys
When working with existing SSL certificates and keys you may need to perform one or more of the following
procedures.
Monitoring SSL certificate expiration
To manually monitor the expiration date for your SSL certificates, perform the following procedure:
system.

.
3. Review the Expiration column for the desired SSL certificates. The displayed date indicates the date
in which the SSL certificate expires.
Generating and downloading a certificate/key archive file

You can generate an SSL certificate/key archive file and then download the file to your local hard drive. The
file is saved in the TGZ format.
system.

.
3. Click Archive.
4. Type a name for the archive file.
5. For Key List, in the Available Keys box, click the keys to include in the archive file and move them to
the Keys To Archive box.
6. For Certificate List, in the Available Certificates box, click the certificates to include in the archive file
and move them to the Certificates To Archive box.
7. Click Generate and Download Archive.
Deleting an SSL certificate
Note: You cannot delete certificates that are referenced by other elements in the system's configuration.
Impact of procedure: Performing the following procedure should not have a negative impact on your system.

.
3. Select the check box next to the certificate you want to delete.
4. Click Delete.
5. Confirm the operation by clicking Delete.
Deleting an SSL private key
Note: You cannot delete keys that are referenced by other elements in the system's configuration.

.
3. Click the certificate name.
4.
4. Click the Key tab.
5. Click Delete.
Viewing properties of a certificate

.
3. Click the name of the certificate you want to view.
The certificate properties include those in the following table.
Property Description
Displays the name that the BIG-IP system assigned to the certificate. The default value for a
Name
self-signed certificate is server.
Partition /
Displays the administrative partition in which the certificate is installed.
Path
Certificate Displays the values of the common name (CN) and organization embedded in the certificate.
Subjects The default value for a self-signed certificate is localhost.localdomain, MyCompany.
Public Key Displays the public key size (length) of the certificate, measured in bits.
Displays the expiration date for the certificate. The expiration date is embedded in the SSL
Expires
certificate for name-based authentication purposes.
Displays the version number of the X.509 certificate. An example of a certificate version
Version
number is 3.
Serial
Displays the unique serial number assigned to the certificate.
Number
Displays the values for the following data embedded in the certificate:
- Common Name
Subject - Organization
- Locality
- State or Province
- Country
Indicates whether the certificate is a self-signed certificate (Self) or a trusted CA certificate
Issuer
(Certificate Authority).
Subject
Specifies whether the certificate contains the subject alternative name (SAN) extension per
Alternative
RFC2459.
Name
Public Key
Displays the Public Key type. For example, RSA, DSA, or ECDSA.
Type
Viewing properties of an SSL private key

.
3. Click the name of the certificate you want to view.

The key properties include those in the following table.
Property Description
Key Type Displays the type of key. For example, the RSA private key value is KTYPE_RSA_PRIVATE.
Partition /
Displays the administrative partition in which the key is installed.
Path
Displays the key length (512, 1024, or 2048) in bits. If the key size is less than 2048, the
Size
system displays an error message.
Renewing a self-signed certificate
You can use the following procedure to renew an existing self-signed SSL certificate.

.
3. Click the name of the certificate you want to renew.

4. Click Renew.
5. To renew a self-signed certificate, for Issuer , click Self.
6. Complete the remaining information as required.
7. Click Finished.
Note: Existing connections continue to use the old SSL certificate until the connections complete or are
renegotiated or until the Traffic Management Microkernel (TMM) is restarted.
Renewing a certificate from a CA
When renewing an SSL certificate from a CA, F5 recommends that you generate a new CSR and private
key. Although some CAs allow you to renew a certificate by using the existing CSR on file, this method is
less secure as it retains the existing private key.
Impact of procedure: Performing the following procedure should not have any impact to the existing traffic
and new traffic will utilize the new certificate.

.
3.Click the name of the certificate you want to renew.

4.Click Renew.
5.For Issuer , click Certificate Authority.
6.Complete the remaining information as required.
7.Click Finished.
8.On the Certificate Signing Request page, copy the CSR from the Requested Text box, or to download
the CSR, click Download.
9. Click Finished.
10. After the CSR is signed and returned by the CA, continue to the next procedure.
Importing a renewed SSL certificate
When you import a renewed SSL certificate, you overwrite the existing certificate/key with the one you are
importing. The SSL profile then automatically uses the renewed certificate to encrypt the SSL sessions.
Important: Existing connections continue to use the old SSL certificate until the connection completes or are
renegotiated or until TMM is restarted.
Impact of procedure: Performing the following procedure should not have any impact to the existing traffic
and new traffic will utilize the new certificate.

.
3. Click Import.
4. In the Import Type list, click Certificate.
5. For Certificate Name, click Overwrite Existing.
6. In the Certificate Name list, click the certificate to replace.
7. For Certificate Source, click either Upload File and browse to the file or Paste Text and paste plain
text into the box.
8. Click Import.
Exporting an SSL certificate and private key
You export an SSL certificate and private key when you want to migrate the certificate/key pair to another
BIG-IP system.
system.
SSL Certificate

.
3. Click the name of the certificate you want to export.

4. Click Export.
5. On the Certificate Export page, click Download.
SSL Key

.
3. Click the name of the certificate whose key you want to export.
5. Click Export.
6. On the Certificate Export page, click Download.
Supplemental Information
K6353: Updating an SSL device certificate on a BIG-IP system

K13471: Creating SSL SAN certificates and CSRs using the Configuration utility or tmsh
K13349: Verifying SSL certificate and key pairs from the command line (11.x - 13.x)
K13831: Missing or corrupt default SSL certificate and key pair may generate errors (11.x)
K14499: Using OpenSSL to create CA and client certificates (11.x - 12.x)
K14783: Overview of the Client SSL profile (11.x - 13.x)

K14620 - Manage SSL Certificate

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

K14620 - Manage SSL Certificate

Încărcat de

Drepturi de autor:

Formate disponibile

K14620: Managing SSL certificates for BIG-IP systems using the Configuration utility

Original Publication Date: Sep 24, 2013

Update Date: Jun 29, 2018

K15462: Managing SSL certificates for BIG-IP systems using tmsh

You must meet the following prerequisite to use this procedure:

Working with new SSL certificates/keys

Creating a self-signed SSL certificate

Working with existing SSL certificates/keys

Monitoring SSL certificate expiration

Working with new SSL certificates/keys

Creating a self-signed SSL certificate

1. Log in to the Configuration utility.

Creating an SSL CSR and private key

1. Log in to the Configuration utility.

Importing an SSL certificate

1. Log in to the Configuration utility.

Importing an SSL private key

1. Log in to the Configuration utility.

Importing a PKCS 12 (IIS) file

1. Log in to the Configuration utility.

Importing a CRL (BIG-IP 11.x - 12.x)

-----BEGIN X509 CRL-----

1. Log in to the Configuration utility.

Working with existing SSL certificates and keys

Monitoring SSL certificate expiration

1. Log in to the Configuration utility.

Generating and downloading a certificate/key archive file

1. Log in to the Configuration utility.

Deleting an SSL certificate

1. Log in to the Configuration utility.

Deleting an SSL private key

1. Log in to the Configuration utility.

3. Click the certificate name.

Viewing properties of a certificate

1. Log in to the Configuration utility.

3. Click the name of the certificate you want to view.

The certificate properties include those in the following table.

1. Log in to the Configuration utility.

3. Click the name of the certificate you want to view.

The key properties include those in the following table.

Renewing a self-signed certificate

1. Log in to the Configuration utility.

3. Click the name of the certificate you want to renew.

Renewing a certificate from a CA

1. Log in to the Configuration utility.

3.Click the name of the certificate you want to renew.

Importing a renewed SSL certificate

1. Log in to the Configuration utility.

Exporting an SSL certificate and private key

1. Log in to the Configuration utility.

3. Click the name of the certificate you want to export.

1. Log in to the Configuration utility.

K6353: Updating an SSL device certificate on a BIG-IP system

S-ar putea să vă placă și