My Support
  1. AskF5 Home
  2. Knowledge Center
  3. BIG-IP System v14.1.0.1: SSL Traffic Management
  4. Create a custom Server SSL profile that supports CRL
Manual Chapter : Create a custom Server SSL profile that supports CRL

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 14.1.3, 14.1.2, 14.1.0

BIG-IP APM

  • 14.1.3, 14.1.2, 14.1.0

BIG-IP Analytics

  • 14.1.3, 14.1.2, 14.1.0

BIG-IP LTM

  • 14.1.3, 14.1.2, 14.1.0

BIG-IP PEM

  • 14.1.3, 14.1.2, 14.1.0

BIG-IP AFM

  • 14.1.3, 14.1.2, 14.1.0

BIG-IP DNS

  • 14.1.3, 14.1.2, 14.1.0

BIG-IP ASM

  • 14.1.3, 14.1.2, 14.1.0
Manual Chapter

Create a custom Server SSL profile that supports CRL

With a Server SSL profile, the BIG-IP® system can perform decryption and encryption for server-side SSL traffic.
A certificate revocation list (CRL) is a published list of revoked certificates issued and updated by the certificate authority who signed them. Clients like your internet browser, will check the certificate's CRL URI to find out if the certificate is valid. When a certificate is revoked, the CRL is updated to reflect the revokation and published accordingly. Lists are not the most efficient way to maintain a record of revocation in high volume scenarios so some application vendors have deprecated their use in favor of online certificate status protcol (OCSP). However, you still need a CRL configuraiton as it is still a common scenario and recommended for backward compatibility.
Before you create a customer Server SSL profile that supports CRL, you must create either a configured DNS resolver or a configured BIG-IP LTM pool.
  1. Create an internal proxy
  2. On the Main tab, click
    System
    Services
    Internal Proxies
    .
    The Internal Proxies screen opens.
  3. Click
    Create
    .
    The New Internal Proxy screen opens.
  4. In the
    Name
     field, type a unique name for your internal proxy.
  5. Select the
    Use Proxy Server
     check box if you want to use the
    Proxy Server Pool
     instead of
    DNS Resolver
    . The
    Proxy Server Pool
     is the LTM pool with one or multiple proxies for forwarding the CRL request to the CRL server. The
    DNS Resolver
     is the internal DNS resolver the BIG-IP system uses to fetch the internal proxy response.
    1. From the
      DNS Resolver
       list, select the internal DNS resolver the BIG-IP system uses to fetch the internal proxy response. This involves specifying one or more DNS servers in the DNS resolver configuration. Use this option when:
      • There is a DNS server that can do the name-resolution of the internal proxy.
      • The internal proxy can be reached on one of BIG-IP system's interfaces.
      If you are not selecting a pre-existing DNS Resolver you can create one. Click
      +
       to define a new internal DNS resolver and then return to this screen.
    2. From the
      Proxy Server Pool
       list, select the LTM pool for forwarding the CRL request to the CRL server.
  6. From the
    Route Domain
     list, select the route domain for fetching an internal proxy using HTTP explicit proxy. It is common to have the Route Domain set to
    0
    . Click
    +
     to define a new route domain.
    You have now created an internal proxy and are ready to create a CRL configuration object.
  7. Create a CRL configuration object
  8. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    CRL
    .
    The CRL screen opens.
  9. Click
    Create
    .
    The New CRL screen opens.
  10. In the
    Name
     field, type a name that specifies the certificate revocation list.
  11. Specify if you want to select
    Strict Revocation Check
     to protect your configuration from accidental future changes. The Strict Revocation Check specifies whether the strict revocation check for the certificate revocation list is enable or disabled. If the check box is selected it enables the strict revocation check and keymgmtd waits for the c fetching/caching to complete. If it is disabled, keymgmtd immediately replies with certificate status that is unknown and starts to download/cache the certificate revocation list file.
  12. For the
    Internal Proxy
     section, select
    Internal Proxy List
     to define the CRL list that specifies the internal DNS resolver or a proxy server pool. Select either New Internal Proxy or Internal Proxy List to specify the internal proxy.
  13. Click
    Update
    .
    You are now ready to create your custom Server SSL profile that supports CRL.
  14. Create a Custom Server SSL Profile that supports CRL
  15. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Server
    .
    The Server SSL profile list screen opens.
  16. Click
    Create
    .
    The New Server SSL Profile screen opens.
  17. In the
    Name
     field, type a unique name for the profile.
  18. From the
    Parent Profile
     list, select
    serverssl
    .
  19. From the
    Configuration
     list, select
    Advanced
    .
  20. Select the
    Custom
     check box.
    The settings become available for change.
  21. From the
    Certificate
     list, select the name of an SSL certificate on the BIG-IP system.
    If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default certificate name, and ensure that this same certificate name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
  22. From the
    Key
     list, select the name of an SSL key on the BIG-IP system.
    If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default key name, and ensure that this same key name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
  23. In the
    Pass Phrase
     field, type a pass phrase that enables access to the certificate/key pair on the BIG-IP system.
  24. From the
    Chain
     list, select the name of an SSL chain on the BIG-IP system.
  25. For the
    Ciphers
     setting, specify a cipher group or cipher string by choosing one of these options.
    If you specified an ECDSA certificate key chain in the
    Certificate Key Chain
     setting, you must include the cipher string
    ECDHE_ECDSA
     in the cipher group or cipher string that you specify in the
    Ciphers
     setting. (At a minimum, you should specify a cipher group or string such as
    DEFAULT:ECDHE_ECDSA
    .) This is necessary to ensure successful cipher negotiation when the BIG-IP system is offered an ECDSA-based certificate only.
    Option
    Description
    Cipher Group
    Select an existing cipher group from the list when you want to use a system-defined or custom cipher group to define the ciphers that the BIG-IP system uses for negotiating SSL connections. Here's an example of the
    Ciphers
     setting where we've selected a custom cipher group that we created earlier.
    Cipher String
    Type a cipher string in the box if you want to manually specify a cipher string instead of selecting a cipher group. For security and performance reasons, consider following these recommendations:
    • Always append ciphers to the
      DEFAULT
       cipher string.
    • Type a cipher string that includes the ECC key type, because its shorter length speeds up encryption and decryption while still offering virtually the same level of security.
    • Disable ADH ciphers but also include the keyword
      HIGH
      . To do this, just include both
      !ADH
       and
      :HIGH
       in your cipher string.
    • For AES, DES, and RC4 encryption types, make sure you specify the DHE key exchange method. DHE uses
      Forward Privacy
      , which creates a key that it throws away after each session so that the same session key never gets used twice. When you use DHE, make sure that the SSL private key isn't being shared with a monitoring system or a security device like an intrusion detection or prevention system. Also, diagnostic tools like
      ssldump
       won't work when you're using Forward Secrecy.
    • Disable EXPORT ciphers by including
      !EXPORT
       in the cipher string.
    • If you can live with removing support for the SSLv3 protocol version, do it. This protocol version is not secure. Simply include
      :!SSLv3
       in any cipher string you type.
    Here's an example of the
    Ciphers
     setting where we have opted to manually type the cipher string
    DEFAULT:ECDHE-RSA-AES-128-GCM-SHA256:!ADH:!EXPORT:HIGH
    :
  26. In the same area of the screen, configure any other settings as needed.
  27. Select the
    Custom
     check box for the Server Authentication area of the screen.
    The settings become available for change.
  28. Change or retain the values for all Server Authentication settings as needed.
  29. From the
    CRL
     list, select the CRL object that specifies the SSL client certificate constrained delegation CRL object that the BIG-IP system's SSL should use. You can click the
    +
     icon to open the create-new CRL object screen.
  30. From the
    CRL File
     list, select the name of a file containing a list of revoked server certificates.
  31. In the
    Allow Expired CRL File
     field, select the check box to instruct the system to use the specified CRL file even if it has expired. The default is disabled.
  32. Complete any other settings and click
    Finished
    .
After performing this task, you can see the custom Server SSL profile that supports CRL in the list of Server SSL profiles on the system.

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks

©2020 F5, Inc. All rights reserved.

Policies Privacy Trademarks