Manual Chapter : SSL Certificate Management

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP APM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP Analytics

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP Link Controller

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP LTM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP AFM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP PEM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP DNS

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP ASM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Manual Chapter

SSL Certificate Management

Supported certificate/key types

The BIG-IP® system supports multiple cipher suites when offloading SSL operations from a target server on the network. The BIG-IP system can support cipher suites that use these algorithms:
  • Rivest Shamir Adleman (RSA)
  • Elliptic Curve Digital Signature Algorithm (ECDSA)
  • Digital Signature Algorithm (DSA)
When you generate a certificate request or a self-signed certificate, you specify the type of private key, which determines the specific signing or encryption algorithm that is used to generate the private key.
On the BIG-IP system, limits on SSL transactions per second (TPS) with RSA cipher suites vary according to key size.

About RSA certificates

RSA
(Rivest Shamir Adleman) is the original encryption algorithm that is based on the concept of a public and a private key. When a public site attempts to communicate with a device such as the BIG-IP® system, the device sends the site a public key that the site uses to encrypt data before sending that data back to the device. The device uses its private key associated with the public key to decrypt the data. Only the private key can be used to decrypt data encrypted with the public key.
The RSA encryption algorithm includes an authentication mechanism.
On the BIG-IP system, limits on SSL transactions per second (TPS) with RSA cipher suites vary according to key size.

About DSA certificates

DSA (Digital Signature Algorithm) uses a different algorithm for signing key exchange messages than that of RSA.
DSA
is paired with a key exchange method such as Diffie-Hellman or Elliptical Curve Diffie-Hellman to achieve a comparable level of security to RSA. Because DSA is generally endorsed by federal agencies, specifying a DSA key type makes it easier to comply with new government standards, such as those for specific key lengths.

About ECDSA certificates

When creating certificates on the BIG-IP system, you can create a certificate with a key type of ECDSA (Elliptic Curve Digital Signature Algorithm). An
ECDSA key
is based on Elliptic Curve Cryptography (ECC), and provides better security and performance with significantly shorter key lengths.
Encryption based on ECC is ideally suited for mobile devices that cannot store large keys.
For example, an RSA key size of 2048 bits is equivalent to an ECC key size of only 224 bits. As a result, less computing power is required, resulting in faster, more secure connections. The BIG-IP system supports the eilliptic curves prime256v1, secp384r1, and secp521r1.
The elliptic curve secp521r1 is not supported on the F5® 10350v-FIPS hardware platform.

About SSL certificate management

You can obtain a certificate for the BIG-IP system by using the BIG-IP® Configuration utility to generate a certificate signing request (CSR) that can then be submitted to a third-party trusted certificate authority (CA). The CA then issues a signed certificate.
In addition to requesting CA-signed certificates, you can create self-signed certificates. You create self-signed certificates primarily for testing purposes within an organization.
When you install the BIG-IP software, the application includes a default self-signed certificate. The BIG-IP system also includes a default CA bundle certificate. This certificate bundle contains certificates from most of the well-known CAs.
To manage digital certificates for the BIG-IP system, you must have a role of Certificate Manager, Administrator, or Resource Administrator assigned to your BIG-IP user account.
See additional information regarding SM2 options later in this section for importing, managing, and exporting a certificate and key with SM2 license. The BIG-IP system added SM2, SM3, and SM4 Cryptographic Algorithm support for the Chinese market. The algorithms were independently developed by the China State Cryptography Administration, where SM2 is the public key algorithm, SM3 is the hash algorithm, and SM4 is the block cipher algorithm. SM2 is based on the Elliptic Curve Discrete Logarithm Problem (ECDLP).

Creating a self-signed certificate that contains an ECDSA key type

You can use this task to create a self-signed certificate with an ECDSA key type. The certificate is used to authenticate and secure either client-side or server-side HTTP traffic.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    .
    The Traffic Certificate Management screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a unique name for the SSL certificate.
  4. From the Issuer list, select
    Self.
  5. In the
    Common Name
    field, type a name.
    This is typically the name of a web site, such as
    www.siterequest.com
    .
  6. In the
    Division
    field, type your department name.
  7. In the
    Organization
    field, type your company name.
  8. In the
    Locality
    field, type your city name.
  9. In the or
    State or Province
    field, type your state or province name.
  10. From the
    Country
    list, select the name of your country.
  11. In the
    E-mail Address
    field, type your email address.
  12. In the
    Lifetime
    field, type a number of days, or retain the default,
    365
    .
  13. In the
    Subject Alternative Name
    field, type a name.
    This name is embedded in the certificate for X509 extension purposes.
    By assigning this name, you can protect multiple host names with a single SSL certificate.
  14. From the
    Key Type
    list, select
    ECDSA
    .
  15. From the
    Curve
    list, select an elliptic curve:
    prime256v1
    Creates a key that is 256 bits in length
    secp384r1
    Creates a key that is 384 bits in length
    secp521r1
    Creates a key that is 521 bits in length
    In general, longer keys can impact performance but are more secure. Shorter keys result in better performance but are less secure.
  16. Click
    Finished
    .
    The name of the self-signed certificate appears in the list of certificates on the system.

Requesting a CA-signed certificate that contains an ECDSA key type

You can generate a certificate that includes an Elliptic Curve Digital Signature Algorithm (ECDSA) key type, and then copy it or submit it to a trusted certificate authority for signature.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    .
    The Traffic Certificate Management screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a unique name for the SSL certificate.
  4. From the
    Issuer
    list, select
    Certificate Authority
    .
  5. In the
    Common Name
    field, type a name.
    This is typically the name of a web site, such as
    www.siterequest.com
    .
  6. In the
    Division
    field, type your department name.
  7. In the
    Organization
    field, type your company name.
  8. In the
    Locality
    field, type your city name.
  9. In the or
    State or Province
    field, type your state or province name.
  10. From the
    Country
    list, select the name of your country.
  11. In the
    E-mail Address
    field, type your email address.
  12. In the
    Lifetime
    field, type a number of days, or retain the default,
    365
    .
  13. In the
    Subject Alternative Name
    field, type a name.
    This name is embedded in the certificate for X509 extension purposes.
    By assigning this name, you can protect multiple host names with a single SSL certificate.
  14. In the
    Challenge Password
    field, type a password.
  15. In the
    Confirm Password
    field, re-type the password you typed in the
    Challenge Password
    field.
  16. From the
    Key Type
    list, select
    ECDSA
    .
  17. From the
    Curve
    list, select an elliptic curve:
    prime256v1
    Creates a key that is 256 bits in length
    secp384r1
    Creates a key that is 384 bits in length
    secp521r1
    Creates a key that is 521 bits in length
    In general, longer keys can impact performance but are more secure. Shorter keys result in better performance but are less secure.
  18. Do one of the following to download the request into a file on your system.
    • In the
      Request Text
      field, copy the certificate.
    • For
      Request File
      , click the button.
  19. Follow the instructions on the relevant certificate authority web site for either pasting the copied request or attaching the generated request file.
  20. Click
    Finished
    .
    The Certificate Signing Request screen displays.
The generated certificate is submitted to a trusted certificate authority for signature.

Creating a FIPS-type self-signed certificate

You can use this task to create a self-signed certificate to authenticate and secure either client-side or server-side HTTP traffic.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    .
    The Traffic Certificate Management screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a unique name for the SSL certificate.
  4. From the Issuer list, select
    Self.
  5. In the
    Common Name
    field, type a name.
    This is typically the name of a web site, such as
    www.siterequest.com
    .
  6. In the
    Division
    field, type your department name.
  7. In the
    Organization
    field, type your company name.
  8. In the
    Locality
    field, type your city name.
  9. In the or
    State or Province
    field, type your state or province name.
  10. From the
    Country
    list, select the name of your country.
  11. In the
    E-mail Address
    field, type your email address.
  12. In the
    Lifetime
    field, type a number of days, or retain the default,
    365
    .
  13. In the
    Subject Alternative Name
    field, type a name.
    This name is embedded in the certificate for X509 extension purposes.
    By assigning this name, you can protect multiple host names with a single SSL certificate.
  14. From the
    Security Type
    list, select
    FIPS
    .
  15. From the
    Key Type
    list, select
    RSA
    ,
    DSA
    , or
    ECDSA
    .
  16. If you selected
    ECDSA
    , then from the
    Curve
    list, select an elliptic curve.
    The elliptic curve secp521r1 is not supported on the F5® 10350v-FIPS hardware platform.
  17. Click
    Finished
    .
    The name of the self-signed certificate appears in the list of certificates on the system.

Requesting a FIPS-type CA-signed certificate

Use this task to create a request for a certificate with FIPS type security from a certificate authority.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    SSL Certificate List
    .
    This displays the list of certificates installed on the system.
  2. Click
    Create
    .
    The New SSL Certificate screen opens.
  3. In the
    Name
    field, type a unique name for the certificate.
  4. From the
    Issuer
    list, specify the type of certificate that you want to use.
    • To request a certificate from a CA, select
      Certificate Authority
      .
    • For a self-signed certificate, select
      Self
      .
  5. Configure the
    Common Name
    setting and any other settings as needed.
  6. From the
    Security Type
    list, select
    FIPS
    .
  7. From the
    Key Type
    list, select
    RSA
    ,
    DSA
    , or
    ECDSA
    .
  8. If you selected
    ECDSA
    , then from the
    Curve
    list, select an elliptic curve.
    The elliptic curve secp521r1 is not supported on the F5® 10350v-FIPS hardware platform.
  9. Click
    Finished
    .

Converting a key to FIPS format

You can use the BIG-IP Configuration utility to convert an existing key to a FIPS key.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    SSL Certificate List
  2. Click a certificate name.
    This displays the properties of that certificate.
  3. On the menu bar, click
    Key
    .
    This displays the type and size of the key associated with the certificate.
  4. Click
    Convert to FIPS
    to convert the key to a FIPS key.
    The key is converted and appears in the list as a FIPS key. After the key is converted, this process cannot be reversed.

About SSL file import

You can import several types of SSL files onto the BIG-IP system.

Importing a certificate signed by a certificate authority

Before performing this task, confirm that a digital certificate signed by a certificate authority (CA) is available.
You can install an SSL certificate signed by a CA by importing a certificate that already exists on the hard drive of the management workstation. You can import a private key, a certificate or certificate bundle, or an archive.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    .
    The Traffic Certificate Management screen opens.
  2. Click the
    Import
    button.
  3. From the
    Import Type
    list, select
    Certificate
    .
  4. For the
    Certificate Name
    setting:
    • If you are importing a new certificate, select
      Create New
      and type a unique name in the field.
    • If you are replacing an existing certificate, select
      Overwrite Existing
      and select a certificate name from the list.
  5. For the
    Certificate Source
    setting, do one of the following:
    • Select the
      Upload File
      option, and browse to the location of the certificate file.
    • Select the
      Paste Text
      option, and paste the certificate text copied from another source.
  6. Click
    Import
    .
After you perform this task, the SSL certificate that was signed by a CA is installed.

Importing an SSL key

You can use the BIG-IP Configuration utility to import an SSL key onto the BIG-IP system from another location.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    .
    The Traffic Certificate Management screen opens.
  2. Click the
    Import
    button.
  3. From the
    Import Type
    list, select
    Key
    .
  4. For the
    Key Name
    setting, do one of the following:
    • Select the
      Create New
      option, and type a unique name in the field.
    • Select the
      Overwrite Existing
      option, and select a certificate name from the list.
  5. For the
    Key Source
    setting, do one of the following:
    • Select the
      Upload File
      option, and browse to the location of the key file.
    • Select the
      Paste Text
      option, and paste the key text copied from another source.
  6. In the
    Password
    field, type the password associated with the import source.
  7. from the
    Security Type
    list, select a security type.
  8. Click
    Import
    .
After you perform this task, the BIG-IP system imports the specified key.

Importing a PKCS-formatted file

You can use the BIG-IP Configuration utility to import file onto the BIG-IP system that is in Public Key Cryptography Standards (PKCS) number 12 format.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    .
    The Traffic Certificate Management screen opens.
  2. Click the
    Import
    button.
  3. From the
    Import Type
    list, select
    PKCS 12 (IIS)
    .
  4. For the
    Certificate Name
    setting, type a certificate name.
  5. For the
    Certificate Source
    setting, click
    Browse
    and locate the source file.
  6. In the
    Password
    field, type the password associated with the import source.
  7. from the
    Security Type
    list, select a security type.
  8. Click
    Import
    .
After you perform this task, the BIG-IP system imports the specified PKCS 12-formatted file.

Importing a PKCS-formatted file with SM2 license

You can use the BIG-IP Configuration utility to import file onto the BIG-IP system that is in Public Key Cryptography Standards (PKCS) number 12 format with an SM2 license.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    .
    The Traffic Certificate Management screen opens.
  2. Click the
    Import
    button.
  3. From the
    Import Type
    list, select
    PKCS 12 (IIS)
    .
  4. For the
    Certificate and Key Name
    setting, select
    New
    and type a certificate name.
  5. For the
    Certificate and Key Source
    setting, click
    SM2
    . Click
    Choose File
    for both
    Signing
    and
    Encryption
    to select the associated source files.
  6. In the
    Password
    field, type the password associated with the import source.
  7. From the
    Key Security
    list, sselect a security type to specify the level of security to use when importing and storing a key. For example a Security Type of Password means that you specify a password to protect the imported key. The password must be provided when the key is used. The default is
    Normal
    .
    • Normal
      : Specifies that the key file is imported without password protection. In this case, the key resides in a standard form on the file system.
    • Password
      : Specifies that the key is protected by a passphrase and stored in encrypted form. When you select this option, you must also specify a passphrase in the
      Password
      text box.
  8. Click
    Import
    .
After you perform this task, the BIG-IP system imports the specified PKCS 12-formatted file with a SM2 license.
You are now ready to create a SM2 cihper rule and cipher group to use when creating a customer Client SSL profile that supports SM2. See the
Create a custom Client SSL profile that supports SM2
section in this guide for detailed steps.

Importing an archive file

You can use the BIG-IP Configuration utility to upload an archive file onto the BIG-IP system.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    .
    The Traffic Certificate Management screen opens.
  2. Click the
    Import
    button.
  3. For the
    Upload Archive File
    setting, click
    Browse
    and select the file to be imported.
  4. Click the
    Load
    button.
After you perform this task, the BIG-IP system uploads an archive file onto the BIG-IP system.

Exporting an SSL certificate

You perform this task to export an SSL certificate to another device.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    .
    The Traffic Certificate Management screen opens.
  2. Click the name of the certificate you want to export.
    The General Properties screen displays.
  3. Click
    Export
    .
    The Certificate Export screen displays the contents of the certificate in the
    Certificate Text
    box.
  4. To obtain the certificate, do one of the following:
    • Copy the text from the
      Certificate Text
      field, and paste it as needed into an interface on another system.
    • At the
      Certificate File
      option, click
      Download filename
      where the filename is the name of the certificate file, such as
      mycert.crt
      .

Exporting an SSL certificate to another device with an SM2 license

You perform this task to export an SSL certificate to another device with an SM2 license.
  1. On the Main tab, click
    System
    Certificate Managment
    Traffic Certificate Managment
    .
    The Traffic Certificate Management screen opens.
  2. Click the name of the SM2 certificate you want to export.
    The General Properties screen displays.
  3. Click
    Export
    .
    The Certificate Export screen displays the contents of the certificate in the
    Certificate Text
    box.
  4. To obtain the certificate, do one of the following:
    1. Copy the text from the
      Certificate Text
      field, and paste it as needed into an interface on another system with an SM2 license.
    2. At the
      Certificate File
      option, click
      Download Filename
      where the filename of the certificate file, such as mycert.crt.
After you perform this task, the BIG-IP system uploads an archive file onto the BIG-IP system.

Viewing a list of certificates on the system

You can perform this task to view a list of existing digital certificates on the BIG-IP system.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    .
    The Traffic Certificate Management screen opens.
  2. In the Name column, view the list of certificates on the system.

Viewing a list of SM2 certificates on the system

You can perform this task to view a list of existing digital certificates on the BIG-IP system.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    .
    The Traffic Certificate Management screen opens.
  2. In the
    Name
    column, select your SM2 certificate and key to view the details on the system. The
    Contents
    column will also indicate the item is a
    SM2 Certificate & Key
    .
You can now view your SM2 certificate and key details.

Digital SSL certificate properties

From the BIG-IP Configuration utility, you can see the properties of the SSL digital certificates you have installed on the BIG-IP system.
Property
Description
Certificate
The name of the certificate.
Content
The type of certificate content, for example, Certificate Bundle or Certificate and Key.
Common name
The common name (CN) for the certificate. The common name embedded in the certificate is used for name-based authentication. The default common name for a self-signed certificate is
localhost.localdomain
.
Expiration date
The date that the certificate expires. If the certificate is a bundle, this information shows the range of expiration dates that apply to certificates in the bundle.
Organization
The organization name for the certificate. The organization name embedded in the certificate is used for name-based authentication. The default organization for a self-signed certificate is
MyCompany
.

About certificate bundle management

You can use the bundle manager to automatically update and install certificate authority (CA) bundles on the system from two sources: local certificate file objects and remote URL resources. By using the
Include Bundles
and
Include URLs
options, you can combine CA certificates from various sources to create a new, customized CA bundle. You can also use the
Exclude Bundles
and
Exclude URLs
options to remove certain CA certificates from the resulting CA bundle file. The newly created or modified CA bundle file is installed as a certificate-file-object on the system and used as a trusted CA bundle by other modules.
In addition, you can set the update frequency of the CA bundle, or use a web proxy for downloading the remote URL resources. By default, a newly created CA bundle manager does not create or update the managed CA bundle object. Exceptions are if the CA bundle manager has a positive update interval or is explicitly told to do so since you have set the
Update Now
option.

Creating a new certificate bundle

You can create a new certificate authority (CA) bundle, and specify bundles and URLs to include or exclude. You can also set the update frequency of the CA bundle, or use a web proxy for downloading the remote URL resources.
The resulting bundle file will be named the same as the bundle manager object.
By default, a newly created CA bundle manager does not create or update the managed CA bundle object unless the CA bundle manager has a positive
Update Interval
or is explicitly told to do so by the
Update Now
option.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    Bundle Manager List
    .
    The Bundle Manager List screen opens.
  2. Click
    Create
    .
  3. From the
    Include Bundles
    Available
    list, select the certificate file objects to include for generating a new CA bundle.
  4. In the
    Include URLs
    field, type the URL where remote CA bundles reside, and click
    Add
    to include that for generating the new CA bundle.
    Only HTTPS URLs are allowed in the
    Include URLs
    fields.
  5. From the
    Exclude Bundles
    Available
    list, select the certificate file objects to exclude from the new CA bundle.
  6. In the
    Exclude URLs
    field, type the URL where remote CA bundles reside, and click
    Add
    to exclude it from the new CA bundle.
    Only HTTPS URLs are allowed in the
    Exclude URLs
    fields.
  7. In the
    Update Interval
    field, type the number of days at which to refresh the remote CA bundles at the URLs.
    The default value is set to
    0
    and indicates that the generated CA bundle is not dynamically updated.
  8. If you want the CA bundle manager to immediately refresh its generated CA bundle from all its sources and recalculate its certificate contents, select the
    Update Now
    check box.
    The default value is disabled.
  9. From the
    Trusted CA-Bundle
    list, select the CA bundle that this CA bundle manager will use to download remote CA bundles in the include and exclude URLs.
  10. In the
    Proxy Server
    field, type the host name or IP address of the proxy server for accessing remote URL resources.
    Only HTTP proxy is supported. You may optionally prepend
    http://
    to the host name or IP address.
  11. In the
    Proxy Server Port
    field, type the port number of the proxy server for accessing remote URL resources.
    The default is
    3128
    .
  12. In the
    Download Timeout
    field, specify the timeout period, in seconds, to download the remote CA bundles from the URLs.
    The value range is from 1 to 3600 (1 hour) seconds.
    The default value is
    8
    seconds.
  13. Click
    Finished
    .
The system installs a generated CA bundle file as a certificate-file-object on the system to be used as a trusted CA bundle by other modules.

Modifying an existing certificate bundle

You can use the bundle manager to modify an existing certificate authority (CA) bundle.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    Bundle Manager List
    .
    The Bundle Manager List screen opens listing all existing CA bundles and their name, update interval, proxy server, trusted CA-bundle, and partition/path details.
  2. From the
    Bundle Manager List
    , click the name of the CA bundle that you want to modify.
    The Properties screen opens showing the selected CA bundle general properties and configuration details
  3. Select the
    Update Now
    check box if you want the bundle to be updated.
  4. Modify any of the configuration details needed, and click
    Update
    .
The system updates the selected CA bundle’s configuration with the modified configuration details.

Deleting an existing certificate bundle

You can use the bundle manager to delete an existing certificate authority (CA) bundle.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    Bundle Manager List
    .
    The Bundle Manager List screen opens listing all existing CA bundles and their name, update interval, proxy server, trusted CA-bundle, and partition/path details.
  2. Select the check box next to the name of the CA bundle that you want to delete.
  3. Click
    Delete
    .
    You can also delete a CA bundle on the Properties screen by clicking
    Delete
    at the bottom of the screen.
    Deleting the CA bundle manager does not delete the managed CA bundle file object. You should delete the CA bundle file object separately or you might receive an error message indicating that your managed CA bundle file object is referenced by a CA bundle manager.
This deletes the selected CA bundle from the system.