Manual Chapter :
SSL Certificate Management
Applies To:
Show VersionsSSL Certificate Management
Supported certificate/key types
The BIG-IP® system supports multiple cipher suites when offloading SSL operations
from a target server on the network. The BIG-IP system can support cipher suites that use these
algorithms:
- Rivest Shamir Adleman (RSA)
- Elliptic Curve Digital Signature Algorithm (ECDSA)
- Digital Signature Algorithm (DSA)
When you generate a certificate request or a self-signed certificate, you specify the type of
private key, which determines the specific signing or encryption algorithm that is used to
generate the private key.
On the BIG-IP system, limits on SSL transactions per second (TPS) with RSA cipher
suites vary according to key size.
About RSA certificates
RSA
(Rivest Shamir Adleman) is the original encryption algorithm that is based on
the concept of a public and a private key. When a public site attempts to communicate with a
device such as the BIG-IP® system, the device sends the site a public key that the site uses to
encrypt data before sending that data back to the device. The device uses its private key
associated with the public key to decrypt the data. Only the private key can be used to decrypt
data encrypted with the public key.The RSA encryption algorithm includes an authentication mechanism.
On the BIG-IP system, limits on SSL transactions per second (TPS) with RSA cipher
suites vary according to key size.
About DSA
certificates
DSA (Digital Signature Algorithm) uses a different algorithm for signing
key exchange messages than that of RSA.
DSA
is paired with a
key exchange method such as Diffie-Hellman or Elliptical Curve Diffie-Hellman to achieve a
comparable level of security to RSA. Because DSA is generally endorsed by federal agencies,
specifying a DSA key type makes it easier to comply with new government standards, such as those
for specific key lengths. About ECDSA
certificates
When creating certificates on the BIG-IP system, you can create a certificate with a key type of ECDSA (Elliptic Curve
Digital Signature Algorithm). An
ECDSA key
is based on
Elliptic Curve Cryptography (ECC), and provides better security and performance with
significantly shorter key lengths.Encryption based on ECC is ideally suited for mobile devices that cannot
store large keys.
For example, an RSA key size of 2048 bits is equivalent to an ECC key size
of only 224 bits. As a result, less computing power is required, resulting in faster, more secure
connections. The BIG-IP system supports the eilliptic curves prime256v1, secp384r1, and
secp521r1.
The elliptic curve secp521r1 is not supported on the F5®
10350v-FIPS hardware platform.
About SSL certificate management
You can obtain a certificate for the BIG-IP system by using the BIG-IP®
Configuration utility to generate a certificate signing request (CSR) that can then be submitted
to a third-party trusted certificate authority (CA). The CA then issues a signed certificate.
In addition to requesting CA-signed certificates, you can create self-signed certificates. You
create self-signed certificates primarily for testing purposes within an organization.
When you install the BIG-IP software, the application includes a default self-signed
certificate. The BIG-IP system also includes a default CA bundle certificate. This certificate
bundle contains certificates from most of the well-known CAs.
To manage digital certificates for the BIG-IP system, you must have a role of
Certificate Manager, Administrator, or Resource Administrator assigned to your BIG-IP user
account.
See additional information regarding SM2 options later in this section for importing,
managing, and exporting a certificate and key with SM2 license. The BIG-IP system added SM2, SM3,
and SM4 Cryptographic Algorithm support for the Chinese market. The algorithms were independently
developed by the China State Cryptography Administration, where SM2 is the public key algorithm,
SM3 is the hash algorithm, and SM4 is the block cipher algorithm. SM2 is based on the Elliptic
Curve Discrete Logarithm Problem (ECDLP).
Creating a self-signed certificate that contains an ECDSA key type
You can use this task to create a self-signed certificate with an ECDSA key type. The certificate is used to authenticate and secure either
client-side or server-side HTTP traffic.
- On the Main tab, click.The Traffic Certificate Management screen opens.
- ClickCreate.
- In theNamefield, type a unique name for the SSL certificate.
- From the Issuer list, selectSelf.
- In theCommon Namefield, type a name.This is typically the name of a web site, such aswww.siterequest.com.
- In theDivisionfield, type your department name.
- In theOrganizationfield, type your company name.
- In theLocalityfield, type your city name.
- In the orState or Provincefield, type your state or province name.
- From theCountrylist, select the name of your country.
- In theE-mail Addressfield, type your email address.
- In theLifetimefield, type a number of days, or retain the default,365.
- In theSubject Alternative Namefield, type a name.This name is embedded in the certificate for X509 extension purposes.By assigning this name, you can protect multiple host names with a single SSL certificate.
- From theKey Typelist, selectECDSA.
- From theCurvelist, select an elliptic curve:prime256v1Creates a key that is 256 bits in lengthsecp384r1Creates a key that is 384 bits in lengthsecp521r1Creates a key that is 521 bits in lengthIn general, longer keys can impact performance but are more secure. Shorter keys result in better performance but are less secure.
- ClickFinished.The name of the self-signed certificate appears in the list of certificates on the system.
Requesting a CA-signed
certificate that contains an ECDSA key type
You can generate a certificate that includes an Elliptic Curve Digital Signature
Algorithm (ECDSA) key type, and then copy it or submit it to a trusted certificate
authority for signature.
- On the Main tab, click.The Traffic Certificate Management screen opens.
- ClickCreate.
- In theNamefield, type a unique name for the SSL certificate.
- From theIssuerlist, selectCertificate Authority.
- In theCommon Namefield, type a name.This is typically the name of a web site, such aswww.siterequest.com.
- In theDivisionfield, type your department name.
- In theOrganizationfield, type your company name.
- In theLocalityfield, type your city name.
- In the orState or Provincefield, type your state or province name.
- From theCountrylist, select the name of your country.
- In theE-mail Addressfield, type your email address.
- In theLifetimefield, type a number of days, or retain the default,365.
- In theSubject Alternative Namefield, type a name.This name is embedded in the certificate for X509 extension purposes.By assigning this name, you can protect multiple host names with a single SSL certificate.
- In theChallenge Passwordfield, type a password.
- In theConfirm Passwordfield, re-type the password you typed in theChallenge Passwordfield.
- From theKey Typelist, selectECDSA.
- From theCurvelist, select an elliptic curve:prime256v1Creates a key that is 256 bits in lengthsecp384r1Creates a key that is 384 bits in lengthsecp521r1Creates a key that is 521 bits in lengthIn general, longer keys can impact performance but are more secure. Shorter keys result in better performance but are less secure.
- Do one of the following to download the request into a file on your system.
- In theRequest Textfield, copy the certificate.
- ForRequest File, click the button.
- Follow the instructions on the relevant certificate authority web site for either pasting the copied request or attaching the generated request file.
- ClickFinished.The Certificate Signing Request screen displays.
The generated certificate is submitted to a trusted certificate authority for
signature.
Creating a FIPS-type self-signed certificate
You can use this task to create a self-signed certificate to authenticate and secure either
client-side or server-side HTTP traffic.
- On the Main tab, click.The Traffic Certificate Management screen opens.
- ClickCreate.
- In theNamefield, type a unique name for the SSL certificate.
- From the Issuer list, selectSelf.
- In theCommon Namefield, type a name.This is typically the name of a web site, such aswww.siterequest.com.
- In theDivisionfield, type your department name.
- In theOrganizationfield, type your company name.
- In theLocalityfield, type your city name.
- In the orState or Provincefield, type your state or province name.
- From theCountrylist, select the name of your country.
- In theE-mail Addressfield, type your email address.
- In theLifetimefield, type a number of days, or retain the default,365.
- In theSubject Alternative Namefield, type a name.This name is embedded in the certificate for X509 extension purposes.By assigning this name, you can protect multiple host names with a single SSL certificate.
- From theSecurity Typelist, selectFIPS.
- From theKey Typelist, selectRSA,DSA, orECDSA.
- If you selectedECDSA, then from theCurvelist, select an elliptic curve.The elliptic curve secp521r1 is not supported on the F5® 10350v-FIPS hardware platform.
- ClickFinished.The name of the self-signed certificate appears in the list of certificates on the system.
Requesting a FIPS-type CA-signed certificate
Use this task to create a request for a certificate with
FIPS type security from a certificate authority.
- On the Main tab, click.This displays the list of certificates installed on the system.
- ClickCreate.The New SSL Certificate screen opens.
- In theNamefield, type a unique name for the certificate.
- From theIssuerlist, specify the type of certificate that you want to use.
- To request a certificate from a CA, selectCertificate Authority.
- For a self-signed certificate, selectSelf.
- Configure theCommon Namesetting and any other settings as needed.
- From theSecurity Typelist, selectFIPS.
- From theKey Typelist, selectRSA,DSA, orECDSA.
- If you selectedECDSA, then from theCurvelist, select an elliptic curve.The elliptic curve secp521r1 is not supported on the F5® 10350v-FIPS hardware platform.
- ClickFinished.
Converting a key to FIPS format
You can use the BIG-IP Configuration utility to
convert an existing key to a FIPS key.
- On the Main tab, click
- Click a certificate name.This displays the properties of that certificate.
- On the menu bar, clickKey.This displays the type and size of the key associated with the certificate.
- ClickConvert to FIPSto convert the key to a FIPS key.The key is converted and appears in the list as a FIPS key. After the key is converted, this process cannot be reversed.
About SSL file import
You can import several types of SSL files onto the BIG-IP system.
Importing a certificate signed by a certificate authority
Before performing this task, confirm that a digital certificate signed by a
certificate authority (CA) is available.
You can install an SSL certificate signed by a CA by importing a certificate that
already exists on the hard drive of the management workstation. You can import a private
key, a certificate or certificate bundle, or an archive.
- On the Main tab, click.The Traffic Certificate Management screen opens.
- Click theImportbutton.
- From theImport Typelist, selectCertificate.
- For theCertificate Namesetting:
- If you are importing a new certificate, selectCreate Newand type a unique name in the field.
- If you are replacing an existing certificate, selectOverwrite Existingand select a certificate name from the list.
- For theCertificate Sourcesetting, do one of the following:
- Select theUpload Fileoption, and browse to the location of the certificate file.
- Select thePaste Textoption, and paste the certificate text copied from another source.
- ClickImport.
After you perform this task, the SSL certificate that was signed by a CA is
installed.
Importing an SSL key
You can use the BIG-IP Configuration utility to import an SSL
key onto the BIG-IP system from another location.
- On the Main tab, click.The Traffic Certificate Management screen opens.
- Click theImportbutton.
- From theImport Typelist, selectKey.
- For theKey Namesetting, do one of the following:
- Select theCreate Newoption, and type a unique name in the field.
- Select theOverwrite Existingoption, and select a certificate name from the list.
- For theKey Sourcesetting, do one of the following:
- Select theUpload Fileoption, and browse to the location of the key file.
- Select thePaste Textoption, and paste the key text copied from another source.
- In thePasswordfield, type the password associated with the import source.
- from theSecurity Typelist, select a security type.
- ClickImport.
After you perform this task, the BIG-IP system imports the specified key.
Importing a PKCS-formatted file
You can use the BIG-IP Configuration utility to import file
onto the BIG-IP system that is in Public Key Cryptography Standards (PKCS) number 12
format.
- On the Main tab, click.The Traffic Certificate Management screen opens.
- Click theImportbutton.
- From theImport Typelist, selectPKCS 12 (IIS).
- For theCertificate Namesetting, type a certificate name.
- For theCertificate Sourcesetting, clickBrowseand locate the source file.
- In thePasswordfield, type the password associated with the import source.
- from theSecurity Typelist, select a security type.
- ClickImport.
After you perform this task, the BIG-IP system imports the specified PKCS
12-formatted file.
Importing a PKCS-formatted file with SM2 license
You can use the BIG-IP Configuration utility to
import file onto the BIG-IP system that is in Public Key Cryptography Standards (PKCS)
number 12 format with an SM2 license.
- On the Main tab, click.The Traffic Certificate Management screen opens.
- Click theImportbutton.
- From theImport Typelist, selectPKCS 12 (IIS).
- For theCertificate and Key Namesetting, selectNewand type a certificate name.
- For theCertificate and Key Sourcesetting, clickSM2. ClickChoose Filefor bothSigningandEncryptionto select the associated source files.
- In thePasswordfield, type the password associated with the import source.
- From theKey Securitylist, sselect a security type to specify the level of security to use when importing and storing a key. For example a Security Type of Password means that you specify a password to protect the imported key. The password must be provided when the key is used. The default isNormal.
- Normal: Specifies that the key file is imported without password protection. In this case, the key resides in a standard form on the file system.
- Password: Specifies that the key is protected by a passphrase and stored in encrypted form. When you select this option, you must also specify a passphrase in thePasswordtext box.
- ClickImport.
After you perform this task,
the BIG-IP system imports the specified PKCS 12-formatted file with a SM2 license.
You
are now ready to create a SM2 cihper rule and cipher group to use when creating a
customer Client SSL profile that supports SM2. See the
Create a custom Client
SSL profile that supports SM2
section in this guide for detailed steps.
Importing an archive file
You can use the BIG-IP Configuration utility to upload an
archive file onto the BIG-IP system.
- On the Main tab, click.The Traffic Certificate Management screen opens.
- Click theImportbutton.
- For theUpload Archive Filesetting, clickBrowseand select the file to be imported.
- Click theLoadbutton.
After you perform this task, the BIG-IP system uploads an archive file onto the
BIG-IP system.
Exporting an SSL certificate
You perform this task to export an SSL certificate to another device.
- On the Main tab, click.The Traffic Certificate Management screen opens.
- Click the name of the certificate you want to export.The General Properties screen displays.
- ClickExport.The Certificate Export screen displays the contents of the certificate in theCertificate Textbox.
- To obtain the certificate, do one of the following:
- Copy the text from theCertificate Textfield, and paste it as needed into an interface on another system.
- At theCertificate Fileoption, clickDownload filenamewhere the filename is the name of the certificate file, such asmycert.crt.
Exporting an SSL certificate to another device with an SM2
license
You perform this task to export an SSL certificate to
another device with an SM2 license.
- On the Main tab, click.The Traffic Certificate Management screen opens.
- Click the name of the SM2 certificate you want to export.The General Properties screen displays.
- ClickExport.The Certificate Export screen displays the contents of the certificate in theCertificate Textbox.
- To obtain the certificate, do one of the following:
- Copy the text from theCertificate Textfield, and paste it as needed into an interface on another system with an SM2 license.
- At theCertificate Fileoption, clickDownload Filenamewhere the filename of the certificate file, such as mycert.crt.
After you perform this task, the BIG-IP system uploads
an archive file onto the BIG-IP system.
Viewing a list of certificates on the system
You can perform this task to view a list of existing digital certificates on the BIG-IP system.
- On the Main tab, click.The Traffic Certificate Management screen opens.
- In the Name column, view the list of certificates on the system.
Viewing a list of SM2 certificates on the system
You can perform this task to view a list of
existing digital certificates on the BIG-IP system.
- On the Main tab, click.The Traffic Certificate Management screen opens.
- In theNamecolumn, select your SM2 certificate and key to view the details on the system. TheContentscolumn will also indicate the item is aSM2 Certificate & Key.
You can now view your SM2 certificate and key
details.
Digital SSL certificate properties
From the BIG-IP Configuration utility, you can see the properties
of the SSL digital certificates you have installed on the BIG-IP
system.
Property | Description |
---|---|
Certificate | The name of the certificate. |
Content | The type of certificate content, for example, Certificate Bundle or Certificate and
Key. |
Common name | The common name (CN) for the certificate. The common name embedded in the certificate is
used for name-based authentication. The default common name for a self-signed certificate is
localhost.localdomain . |
Expiration date | The date that the certificate expires. If the certificate is a bundle, this information shows the range of expiration dates that apply to certificates in the bundle. |
Organization | The organization name for the certificate. The organization name embedded in the certificate
is used for name-based authentication. The default organization for a self-signed certificate
is MyCompany . |
About certificate
bundle management
You can use the bundle manager to automatically update and install
certificate authority (CA) bundles on the system from two sources: local certificate file objects
and remote URL resources. By using the
Include
Bundles
and Include URLs
options, you can combine CA certificates from various sources to create a new, customized CA
bundle. You can also use the Exclude
Bundles
and Exclude URLs
options to remove certain CA certificates from the resulting CA bundle file. The newly created or
modified CA bundle file is installed as a certificate-file-object on the system and used as a
trusted CA bundle by other modules.In addition, you can set the update frequency of the CA bundle, or use a web
proxy for downloading the remote URL resources. By default, a newly created CA bundle manager
does not create or update the managed CA bundle object. Exceptions are if the CA bundle manager
has a positive update interval or is explicitly told to do so since you have set the
Update Now
option.Creating a new certificate bundle
You can create a new certificate authority (CA) bundle, and specify bundles and URLs
to include or exclude. You can also set the update frequency of the CA bundle, or
use a web proxy for downloading the remote URL
resources.
The resulting bundle file will be
named the same as the bundle manager object.
By default, a newly created CA
bundle manager does not create or update the managed CA bundle object unless the CA
bundle manager has a positive
Update Interval
or is
explicitly told to do so by the Update Now
option.- On the Main tab, click.The Bundle Manager List screen opens.
- ClickCreate.
- From theInclude BundlesAvailablelist, select the certificate file objects to include for generating a new CA bundle.
- In theInclude URLsfield, type the URL where remote CA bundles reside, and clickAddto include that for generating the new CA bundle.Only HTTPS URLs are allowed in theInclude URLsfields.
- From theExclude BundlesAvailablelist, select the certificate file objects to exclude from the new CA bundle.
- In theExclude URLsfield, type the URL where remote CA bundles reside, and clickAddto exclude it from the new CA bundle.Only HTTPS URLs are allowed in theExclude URLsfields.
- In theUpdate Intervalfield, type the number of days at which to refresh the remote CA bundles at the URLs.The default value is set to0and indicates that the generated CA bundle is not dynamically updated.
- If you want the CA bundle manager to immediately refresh its generated CA bundle from all its sources and recalculate its certificate contents, select theUpdate Nowcheck box.The default value is disabled.
- From theTrusted CA-Bundlelist, select the CA bundle that this CA bundle manager will use to download remote CA bundles in the include and exclude URLs.
- In theProxy Serverfield, type the host name or IP address of the proxy server for accessing remote URL resources.Only HTTP proxy is supported. You may optionally prependhttp://to the host name or IP address.
- In theProxy Server Portfield, type the port number of the proxy server for accessing remote URL resources.The default is3128.
- In theDownload Timeoutfield, specify the timeout period, in seconds, to download the remote CA bundles from the URLs.The value range is from 1 to 3600 (1 hour) seconds.The default value is8seconds.
- ClickFinished.
The system installs a generated CA
bundle file as a certificate-file-object on the system to be used as a trusted CA bundle
by other modules.
Modifying an existing certificate
bundle
You can use the bundle manager to modify an existing certificate authority (CA)
bundle.
- On the Main tab, click.The Bundle Manager List screen opens listing all existing CA bundles and their name, update interval, proxy server, trusted CA-bundle, and partition/path details.
- From theBundle Manager List, click the name of the CA bundle that you want to modify.The Properties screen opens showing the selected CA bundle general properties and configuration details
- Select theUpdate Nowcheck box if you want the bundle to be updated.
- Modify any of the configuration details needed, and clickUpdate.
The system updates the selected CA
bundle’s configuration with the modified configuration details.
Deleting an existing certificate
bundle
You can use the bundle manager to
delete an existing certificate authority (CA) bundle.
- On the Main tab, click.The Bundle Manager List screen opens listing all existing CA bundles and their name, update interval, proxy server, trusted CA-bundle, and partition/path details.
- Select the check box next to the name of the CA bundle that you want to delete.
- ClickDelete.You can also delete a CA bundle on the Properties screen by clickingDeleteat the bottom of the screen.Deleting the CA bundle manager does not delete the managed CA bundle file object. You should delete the CA bundle file object separately or you might receive an error message indicating that your managed CA bundle file object is referenced by a CA bundle manager.
This deletes the selected CA bundle
from the system.
About certificate order management
The BIG-IP system supports a unified interface for F5 customers to manage
Certificate Authority (CA) certificate operations within the BIG-IP. Currently, F5
supports Certificate Authorities Comodo (now known as Sectigo) and Symantec (purchased
by Digicert) by automating certificate management with trusted certificate authorities.
You can generate, renew, and revoke certificates as necessary after setting up general
properties, authentication details, certificate authority request order information, and
internal proxy connection details.
A CA request is made up of multiple pieces of information from both the Certificate Order
Manager and the Certificate Signing Request (CSR). This information is combined in the
API request sent to the vendor. For example, the Certificate Order Manager object
maintains information about contacting the CA, including authentication information and
URI. It also maintains information about the type of certificate product being purchased
from the vendor. The CSR, created during the certificate key creation in TMOS, maintains
information about the specific host, or hosts, that the certificate is intended to cover
(such as their common name, email address, and other information). With this information
combined in the API request and sent to the vendor, it allows you to configure one
certificate order for multiple certificates that use common certificate types and
durations.
Make sure to read the Certificate Authority documentation you select
so to better understand and note specific CA requirements, APIs, and other information
that you will need so to complete the new certificate order information fields. Each
Certificate Authority requires different information to generate a CA order. You will
need to map the external CA information in their documentation to the fields in this
task.
Digicert and Symantec still have their own APIs. F5’s BIG-IP certificate order only
works with the Symantec legacy API and not the Digicert API. Please refer to your CA’s
documentation for API details.
Generating a new certificate order (Comodo)
- Before setting up the CA order, you must first do one of the following:
- Setup a DNS responder in the system. Note: This does not apply to the DNS setup done during the system setup wizard.
- Setup and configure a proxy server pool in your system's environment.
- Make sure you have an account with the CA that is being setup for API access.
To generate a new Comodo certificate order, use the following steps.
Comodo is now known as Sectigo. For Comodo certificate manager tool and account
information, see the official Sectigo web site. Make sure to read the Sectigo
documentation and refer to it as necessary to understand their requirements, APIs,
and other information that will help you complete the new certificate order
information fields. In this documentation, and in the BIG-IP UI, F5 refers to Comodo
as the CA name.
Each CA requires different information to create a CA order. Depending on the CA
you select, certificate order fields will vary and are tailored to be vendor
specific. The certificate order manager information will be paired with the CSR
information, which is created when configuring the certificate key in TMOS (this
maintains information about the specific host or hosts that the certificate is
intended to cover, such as their common name, email address, etc.). These are
combined in the API request that is sent to the vendor.
- On the Main tab, click. The Certificate Order Manager List screen opens.
- ClickCreate.
- In theNamefield, type a unique name for the certificate order manager. If you create a group of keys, this name will represent them.
- From theCertificate Authoritylist, selectComodo.Comodo is the default certificate authority selected.
- TheAuto Renewfield is selected by default.
- In theLogin Namefield, type a unique login name. Use the same login name you use with your Comodo CA account.
- In theLogin Passwordfield, type a password. Use the same login password you use with your Comodo CA account.For Comodo, F5 recommends you use a dedicated user for API access with limited rights to specific items rather than the overall administrator object used at log in.
- In theValidity Daysfield, type the number of days the certificate authority request remains valid.Check with your specific CA account to enter a valid number of days. Most CAs allow you to select in 365 day increments.For Comodo, this number must later match one of the options configured in the CCM for the certificate type.
- In theBase URLfield, type your CA account’s base URL if it is different from the default base URL provided by the CA.
- In theAdditional HTTP Headersfield, type the CA’s specific key value pair (separated by a colon). You can add additional key value pairs by separating them with a semicolon. In this instance, the key is the unique customer URI and the value is specific to the user. For example, you must have the following string:customerURI:<customer uri>. The<customer uri>is replaced with the actual customer URI.Check with your specific CA account documentation to determine how to use their API information and determine required additional HTTP header information.This field is required for the Comodo CA order. When you create an account with Comodo, the customer URI is unique to Comodo CA and is provided for customer use. The Comodo customer URI is found by looking at the URI used to access the Comodo certificate manager. For example, if the URI for Comodo ishttps://cert-manager.com/customer/my-customer-uri/locale=en#0, then the customer URI is betweencustomer/and before/localeand is, in this example,my-customer-uri.
- From theCA Certificatelist, select the trusted CA certificate/certificate bundle to authenticate the TLS connection with the CA server. The default CA bundle isca-bundle.
- In theOrder Informationfields, fill in the information required by your selected CA.Each CA will require different order information and will display different required fields. Check your CA’s official documentation to provide required values.The options in theOrder Informationfield are based on the CA you chose in the General Properties and are required to successfully generate a new certificate order. As you fill in the nameValues, the text field at the bottom of theOrder Informationsection will automatically populate with your CA configuration.
- Select theEdit as text boxif you would like to alternatively type, or copy and paste, your existing CA configuration information directly into the field provided at the bottom of theOrder Informationsection. If you add the CA configuration information in this manner, the required fields inOrder Informationwill be automatically populated with the values you input for each requiredNamefield.For Comodo, after entering theOrgID, enter-1in theServer Typefield to indicate that the certificate is for the server typeother.
- Use your CA account documentation to complete the required configuration fields provided.
- ClickAddto add additionalNameandValuefields from the list. This list is of names you can add are specific to the CA account you have chosen.For Comodo CA, you can also click Add next to the Custom Fields name and type a custom Name not available in the list.
- ClickDeleteafter selecting to remove any additionalNameandValuefields you have added.You may not delete any CA API information required by your CA.
As you enter values in this section and the text field auto fills with your configuration details, you can see the original name of the keys in the CA API.Mapping of required F5 names to the original name of the keys in the Comodo CA APIF5 Names in Order InformationVendor Keys in the CA APIOrg IDorgIdServer TypeserverTypeF5 recommends that you verify the order information with the vendor before using in production. - In theInternal Proxyfields, do the following to setup an internal proxy to allow outside communications:
- SelectNew Internal ProxyorInternal Proxy List.You can also manage existing internal proxies, or create new internal proxies, by selectingand either select an existing internal proxy name to edit or clickCreateto create a new one.
- New Internal Proxy: If you select to create a new internal proxy, you must type a name, specify if you are using a proxy server (and provideProxy Server Pooldetails), specify theDNS ResolverandRoute Domain(optional) information.
- Internal Proxy List: If you select to use an existing internal proxy list, select it from the available items in the list.
- ClickFinished.
You have now successfully generated a new Comodo
certificate order manager object.
You are now ready to create:
- a new SSL certificate
- check certificate request status
- renew a certificate
- revoke a certificate.
Generating a new certificate order (Symantec)
- Before setting up the CA order, you must first do one of the following:
- Setup a DNS responder in the system. Note: This does not apply to the DNS setup done during the system setup wizard.
- Setup and configure a proxy server pool in your system's environment.
- Make sure you have an account with the CA that is being setup for API access.
To generate a new Symantec certificate order, use the following steps.
Symantec is now known as Digicert (after Digicert purchased Symantec). In this
documentation, and in the BIG-IP UI, F5 refers to Symantec as the CA name. For
Symantec certificate manager tool and account information, see the official Symantec
(or Digicert as needed) web site. Digicert currently maintains Symantec’s API for
Symantec’s customers. However, existing Digicert customers will not be able to use
the Symantec APIs. In this documentation, and in the BIG-IP UI, F5 refers to
Symantec as the CA name.
Each CA requires different information to generate a CA order.
Depending on the CA you select, certificate order fields will vary and are tailored
to be vendor specific. The certificate order manager information will be paired with
the CSR information, which is created when configuring the certificate key in TMOS
(this maintains information about the specific host or hosts that the certificate is
intended to cover, such as their common name, email address, etc.). These are
combined in the API request that is sent to the vendor.
- On the Main tab, click. The Certificate Order Manager List screen opens.
- ClickCreate.
- In theNamefield, type a unique name for the certificate order manager. If you create a group of keys, this name will represent them.
- From theCertificate Authoritylist, selectSymantec.Comodo is the default certificate authority selected.
- TheAuto Renewfield is selected by default.
- From theClient Certificatelist, select the required client certificate.For Symantec, the user must be authorized for the VICE2 web services application role (Win the Roles list). This can be checked by logging into your Symantec account.
- From theClient Keylist, select the required client key.
- In theKey Passphrasefield, type the CA’s key passphrase.
- In theValidity Daysfield, type the number of days the certificate authority request remains valid.Check with your specific CA account to enter a valid number of days. Most CAs allow you to select in 365 day increments.
- In theBase URLfield, type your CA account’s base URL if it is different from the default base URL provided by the CA.
- Leave theAdditional HTTP Headersfield blank. Symantec does not require this information.
- From theCA Certificatelist, select the trusted CA certificate/certificate bundle to authenticate the TLS connection with the CA server. The default CA bundle isca-bundle.
- In theOrder Informationfields, fill in the information required by your selected CA.Each CA will require different order information and will display different required fields. Check your CA’s official documentation to provide required values.The options in theOrder Informationfield are based on the CA you chose in the General Properties and are required to successfully generate a new certificate order. As you fill in the nameValues, the text field at the bottom of theOrder Informationsection will automatically populate with your CA configuration.
- Select theEdit as text boxif you would like to alternatively type, or copy and paste, your existing CA configuration information directly into the field provided at the bottom of theOrder Informationsection. If you add the CA configuration information in this manner, the required fields inOrder Informationwill be automatically populated with the values you input for each requiredNamefield.
- Use your CA account documentation to complete the required configuration fields provided.
- ClickAddto add additionalNameandValuefields from the list. This list is of names you can add are specific to the CA account you have chosen.
- ClickDeleteafter selecting to remove any additionalNameandValuefields you have added.You may not delete any CA API information required by your CA.
As you enter values in this section and the text field auto fills with your configuration details, you can see the original name of the valueNames.Mapping required F5 names to the original name of the keys in the Symantec CA APIF5 Names in Order InformationVendor Keys in the CA APIFirst NamefirstNameLast NamelastNameEmailemailProduct TypecertProductTypeServer TypeserverTypeF5 recommends that you verify the order information with the vendor before using in production. - In theInternal Proxyfields, do the following to setup an internal proxy to allow outside communications:
- SelectNew Internal ProxyorInternal Proxy List.You can also manage existing internal proxies, or create new internal proxies, by selectingand either select an existing internal proxy name to edit or clickCreateto create a new one.
- New Internal Proxy: If you select to create a new internal proxy, you must type a name, specify if you are using a proxy server (and provideProxy Server Pooldetails), specify theDNS ResolverandRoute Domain(optional) information.
- Internal Proxy List: If you select to use an existing internal proxy list, select it from the available items in the list.
- ClickFinished.
You have now successfully
generated a new Symantec certificate order manager object.
You are now ready to
create:
- a new SSL certificate
- check certificate request status
- renew a certificate
- revoke a certificate.
Creating a new SSL certificate and key
After creating a new certificate order you will
need to request a new certificate from the CA. In order to create a certificate, you
will generate a key and Certificate Signing Request (CSR), followed by uploading the CSR
to the CA. The CA then generates that will be downloaded and imported into the
BIG-IP.
- On the Main tab, click. The SSL Certificate List screen opens.
- ClickCreate. The New SSL Certificate screen opens.
- In theNamefield, type a unique name for the new SSL certificate.
- From theIssuerlist, selectCertificate Authorityto create a request for a certificate/key pair to be sent to a certificate authority. When you send a request to a certificate authority, the certificate authority returns a signed certificate which you then install on the system.
- In theCommon Namefield, type the common name attribute for the certificate. The common name is embedded in the certificate for name-based authentication purposes.
- Configure any necessary fields in theCertificate Signing Request Attributessection.
- From theCertificate Order Managerlist, select the certificate order manager created in the Certificate Order Manager List screen.
- From theOrder Typelist, selectNew.
- In theOrder Passphrasefield, type a password that contains at least one special character, one numeric digit, one lowercase letter, and one uppercase letter.This is only required for Symantec.
- ClickFinished. The Certificate Signing Request screen opens.
- Review any necessary details and clickFinished.
- Select theKeytab. The CA’s Key Properties and Certificate Order Properties screen opens.
- In theCertificate Orderfield,Order Statuswill first showIn Progress, followed by a status ofNew Oder Pending, and finishing withNew Order Approved.ClickRefreshto update the UI as necessary.
- ClickDownload Certificate(s) Nowto manually check for the status of the order and download the certificate if it has been approved. ClickRefreshfor the page to be updated with the result. TheOrder Statusfield now showsNew Order Approved.
- Select theCertificatetab. Note that the certificate has now been installed (view details shared in theCertificate Propertiessection.
Your new CA certificate has been successfully
installed.
Renewing an existing SSL certificate and key
To renew an existing SSL
certificate and key, use the following steps.
- On the Main tab, click. The SSL Certificate List screen opens.
- From theNamecolumn, select the existing CA certificate and key you want to renew from the list. The Certificate screen opens.
- Select theKeytab. The Key screen opens showing the Key Properties and the Certificate Order Properties.
- In theCertificate Ordersection, do the following if you selected a Comodo certificate and key from the list:
- From theTypelist, selectRenew.
- In theIDfield, type the order ID.The order ID is provided by the CA and the BIG-IP stores it in the order ID field. The order ID is required for a certificate to be renewed. If the first certificate was not originally ordered from the BIG-IP, you must manually enter the order ID before renewing a certificate.
- ClickUpdate. TheOrder Statusfield will showRevoke Order Approved. If any necessary information is not filled in, theOrder Statuswill change toNew Order Rejected.
- In theCertificate Ordersection, do the following if you selected a Symantec certificate and key from the list:
- From theTypelist, selectRenew.
- In thePassphrasefield, you must type the required challenge passphrase for your certificate order to be approved.
- In theIDfield, make sure the order ID is present.The order ID is provided by the CA and the BIG-IP stores it in the order ID field. The order ID is required for a certificate to be renewed. If the first certificate was not originally ordered from the BIG-IP, you must manually enter the order ID before renewing a certificate.
- ClickUpdate. TheOrder Statusfield will change toRevoke Order Approved.
From theTypelist, you can also selectNewto create a new certificate order to the CA.
You have successfully
renewed your existing SSL certificate and key.
Revoking an existing SSL certificate and key
To revoke an
existing SSL certificate and key, use the following steps. Revoking an existing
certificate and key can be necessary if it has been compromised, its affiliation has
changed, and other reasons.
- On the Main tab, click. The SSL Certificate List screen opens.
- From theNamecolumn, select the existing CA certificate and key you want to revoke from the list. The Certificate screen opens.
- Select theKeytab. The Key screen opens showing the Key Properties and the Certificate Order Properties.
- In theCertificate Ordersection, do the following if you selected a Comodo certificate and key from the list:
- From theTypelist, selectRevoke.
- From theRevoke Reasonlist, select the reason you are revoking the existing SSL certificate and key.
- In theIDfield, type the order ID.The order ID is provided by the CA and the BIG-IP stores it in the order ID field. The order ID is required for a certificate to be revoked. If the first certificate was not originally ordered from the BIG-IP, you must manually enter the order ID before revoking a certificate.
- ClickUpdate. TheOrder Statusfield will change toRevoke Order Approved. If any necessary information is not filled in, theOrder Statuswill change toNew Order Rejected.
- In theCertificate Ordersection, do the following if you selected a Symantec certificate and key from the list:
- From theTypelist, selectRevoke.
- In thePassphrasefield, you must type the required challenge passphrase for your certificate order revoke request to be approved.
- In theIDfield, make sure the order ID is present.The order ID is provided by the CA and the BIG-IP stores it in the order ID field. The order ID is required for a certificate to be revoked. If the first certificate was not originally ordered from the BIG-IP, you must manually enter the order ID before revoking a certificate.
- ClickUpdate. TheOrder Statusfield will change toRevoke Order Approved.
From theTypelist, you can also selectCancelto cancel the previous certificate order to the CA. However, if the order was already sent to the server, the CA will still issue a certificate and cannot be cancelled.
You have successfully
revoked your existing SSL certificate and key.
Modifying an existing certificate order manager
To modify an existing certificate order manager,
use the following steps:
- On the Main tab, click. The Certificate Order Manager List screen opens.
- Click theNameof the certificate you want to modify.
- Modify necessary fields and clickUpdate.
You have now successfully modified an existing
certificate order.
Deleting an existing certificate order manager
To delete an existing
certificate order manager, use the following steps:
- On the Main tab, click. The Certificate Order Manager List screen opens.
- Select the check box next to theNameof the certificate you want to delete.
- ClickDelete.
You have now
successfully deleted an existing certificate order.