Manual Chapter : Managing External HSM Keys for LTM

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.2, 16.0.1, 16.0.0

BIG-IP LTM

  • 17.1.2, 16.0.1, 16.0.0

BIG-IP AFM

  • 17.1.2, 16.0.1, 16.0.0

BIG-IP DNS

  • 17.1.2, 16.0.1, 16.0.0

BIG-IP ASM

  • 17.1.2, 16.0.1, 16.0.0
Manual Chapter

Managing External HSM Keys for LTM

Generating a key/certificate using tmsh

You can use the Traffic Management Shell (
tmsh
) to generate a key and certificate.
  1. Log in to the command-line interface of the system using an account with administrator privileges.
  2. Open the TMOS Shell (
    tmsh
    ).
    tmsh
  3. Generate the key.
    create sys crypto key
    <key_name>
    gen-certificate common-name
    <cert_name>
    nethsm-partition-name <partition-name> security-type nethsm
    This example generates an external HSM key named
    test_key
    and a certificate named
    test_nethsm.com
    with the security type of
    nethsm
    at HSM partition named "test_part1":
    create sys crypto key test_key gen-certificate common-name test_nethsm.com nethsm-partition-name test_part1 security-type nethsm
  4. Verify that the key was created.
    list sys crypto key test_key.key
    Information about the key displays:
    sys crypto key test_key.key { key-id <
    32-digit string
    > key-size 2048 key-type rsa-private nethsm-partition-name test_part1 security-type nethsm }
When you generate a key/certificate using
tmsh
, the system creates a HSM private key. It also creates a local key, which points to the HSM key, residing in the HSM.

Creating a self-signed digital certificate

If you are configuring the BIG-IP system to manage client-side HTTP traffic, you perform this task to create a self-signed certificate to authenticate and secure the client-side HTTP traffic. If you are also configuring the system to manage server-side HTTP traffic, you must repeat this task to create a second self-signed certificate to authenticate and secure the server-side HTTP traffic.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    .
    The Traffic Certificate Management screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a unique name for the SSL certificate.
  4. From the
    Issuer
    list, select
    Self
    .
  5. In the
    Common Name
    field, type a name.
    This is typically the name of a web site, such as
    www.siterequest.com
    .
  6. In the
    Division
    field, type your department name.
  7. In the
    Organization
    field, type your company name.
  8. In the
    Locality
    field, type your city name.
  9. In the or
    State or Province
    field, type your state or province name.
  10. From the
    Country
    list, select the name of your country.
  11. In the
    E-mail Address
    field, type your email address.
  12. In the
    Lifetime
    field, type a number of days, or retain the default,
    365
    .
  13. In the
    Subject Alternative Name
    field, type a name.
    This name is embedded in the certificate for X509 extension purposes.
    By assigning this name, you can protect multiple host names with a single SSL certificate.
  14. From the
    Security Type
    list, select
    NetHSM
    .
  15. From the
    Key Type
    list,
    RSA
    is selected as the default key type.
  16. From the
    Size
    list, select a size, in bits.
  17. Click
    Finished
    .

Importing a key from the HSM

You can use the BIG-IP Configuration utility to import an key from the HSM.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    . The Traffic Certificate Management screen opens.
  2. Click the
    Import
    button.
  3. From the
    Import Type
    list, select
    Key
    .
  4. For the
    Key Name
    setting, select the
    New
    or the
    Overwrite Existing
    option and find the key label from your HSM for the key you are going to import.
  5. For the
    Key Source
    setting, select
    From NetHSM
    and use the key label on NetHSM as the key name.
  6. From the
    NetHSM Partition
    list, select
    Default Partition
    or choose from any other partitions available.
  7. Click
    Import
    .
After you perform this task, the BIG-IP system imports the specified key.

Importing a key from the HSM (using the tmsh)

You can use the Traffic Management Shell (tmsh) to install a key to the BIG-IP from a specified partition at NetHSM.
  1. Log in to the command-line interface of the system using an account with administrator privileges.
  2. Open the TMOS Shell (tmsh).
    tmsh
  3. Install a key.
    tmsh install sys crypto key <key-name> security-type nethsm nethsm-partition-name <partition-name>
  4. Verify that the key was installed.
    For AWS, if the key is created using the AWS cloudHSM tool, make sure to set the following key attribute, CKA_ID, by adding
    -id
    , with a unique string, when creating the RSA key. For AWS, the CKA_ID attribute cannot be changed after the key is created, but is required for the key to be installed and used with BIG-IP. For example:
    genRSAKeyPair -m 2048 -e 65537 -l key_name
    -id key_name_id
    If you use the F5 tmsh command to create the HSM key, follow the steps in the
    Importing a key from the HSM (using the tmsh)
    section.

Creating a new key at a specified partition at NetHSM

You can create a new key at a specified partition at NetHSM by doing the following.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    SSL Certificate List
    . The SSL Certificate List screen opens.
  2. Click
    Create
    . The New SSL Certificate screen opens.
  3. In the
    Name
    field, type a unique name for the certificate.
  4. From the
    Issuer
    list, specify the type of certificate that you want to use.
    1. To request a certificate from a CA, select
      Certificate Authority
      .
    2. For a self-signed certificate, select
      Self
      .
  5. In the
    Common Name
    field, enter a name (such as
    nethsm_ecdsa
    ).
  6. From the
    Security Type
    list, select
    NetHSM
    .
  7. From the
    NetHSM Partition
    list, select
    Default Partition
    or any other partition name available.
  8. From the
    Key Type
    list, select
    RSA
    ,
    DSA
    , or
    ECDSA
    .
  9. If you selected
    ECDSA
    , then from the
    Curve
    list, select an elliptic curve.
    The elliptic curve secp521r1 is not supported on the F5 10350v-FIPS hardware platform.
  10. Click
    Finished
    .

Creating a new key at a specified partition at NetHSM (using the tmsh)

You can use the Traffic Management Shell (tmsh) to create a new key at a specified partition at NetHSM.
If you do not specify the partition name, the first available HSM partition will be used to create the key. The partition name associated with this key will be named "auto" in BIG-IP.
  1. Log in to the command-line interface of the system using an account with administrator privileges.
  2. Open the TMOS Shell (tmsh).
    tmsh
  3. Create a new key.
    tmsh create sys crypto key <key-name> security-type nethsm nethsm-partition-name <partition-name>
    If you do not specify a partition name, the first detected partition will be used.
  4. Verify that the new key was created.

Requesting a certificate from a certificate authority

You perform this task to generate a certificate signing request (CSR) that can then be submitted to a third-party trusted certificate authority (CA).
F5 Networks recommends that you consult the CA to determine the specific information required for each step in this task.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    .
    The Traffic Certificate Management screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a unique name for the SSL certificate.
  4. From the
    Issuer
    list, select
    Certificate Authority
    .
  5. In the
    Common Name
    field, type a name.
    This is typically the name of a web site, such as
    www.siterequest.com
    .
  6. In the
    Division
    field, type your department name.
  7. In the
    Organization
    field, type your company name.
  8. In the
    Locality
    field, type your city name.
  9. In the or
    State or Province
    field, type your state or province name.
  10. From the
    Country
    list, select the name of your country.
  11. In the
    E-mail Address
    field, type your email address.
  12. In the
    Lifetime
    field, type a number of days, or retain the default,
    365
    .
  13. In the
    Subject Alternative Name
    field, type a name.
    This name is embedded in the certificate for X509 extension purposes.
    By assigning this name, you can protect multiple host names with a single SSL certificate.
  14. In the
    Challenge Password
    field, type a password.
  15. In the
    Confirm Password
    field, re-type the password you typed in the
    Challenge Password
    field.
  16. From the
    Security Type
    list, select
    NetHSM
    .
  17. From the
    Key Type
    list,
    RSA
    is selected as the default key type.
  18. From the
    Size
    list, select a size, in bits.
  19. Click
    Finished
    .
    The Certificate Signing Request screen displays.
  20. Do one of the following to download the request into a file on your system.
    • In the
      Request Text
      field, copy the certificate.
    • For
      Request File
      , click the button.
  21. Follow the instructions on the relevant certificate authority web site for either pasting the copied request or attaching the generated request file.
  22. Click
    Finished
    .
    The Certificate Signing Request screen displays.
The generated certificate signing request is submitted to a trusted certificate authority for signature.

Deleting a key from the BIG-IP

You perform this task to delete an existing key from the BIG-IP.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    .
    The Traffic Certificate Management screen opens.
  2. From the
    SSL Certificate List
    , select the check box next to the key you wish to delete.
  3. Click
    Delete
    .
The key you selected is deleted from BIG-IP.
The key stored in NetHSM is not deleted.

Creating a client SSL profile to use an external HSM key and certificate

After you have added the external HSM key and certificate to the BIG-IP system configuration, you can use the key and certificate as part of a client SSL profile. This task describes using the browser interface. Alternatively, you can use the Traffic Management Shell (
tmsh
) command-line utility.
  1. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Client
    .
    The Client screen opens.
  2. Click
    Create
    .
    The New Client SSL Profile screen opens.
  3. In the
    Name
    field, type a name for the profile.
  4. From the
    Parent Profile
    list, select
    clientssl
    .
  5. From the
    Configuration
    list, select
    Advanced
    .
    This selection makes it possible for you to modify additional default settings.
  6. For the Configuration area, select the
    Custom
    check box.
    The settings in the Configuration area become available for modification.
  7. Using the
    Certificate Key Chain
    setting, specify one or more certificate key chains:
    1. From the
      Certificate
      list, select the name of a certificate that you imported.
    2. From the
      Key
      list, select the name of the key that you imported.
    3. From the
      Chain
      list, select the chain that you want to include in the certificate key chain.
    4. Click
      Add
      .
  8. Click
    Finished
    .
After you have created the client SSL profile, you must assign the profile to a virtual server, so that the virtual server can process SSL traffic according to the specified profile settings.