Manual Chapter :
Managing External HSM Keys for LTM
Applies To:
Show VersionsBIG-IP APM
- 17.1.2, 16.0.1, 16.0.0
BIG-IP LTM
- 17.1.2, 16.0.1, 16.0.0
BIG-IP AFM
- 17.1.2, 16.0.1, 16.0.0
BIG-IP DNS
- 17.1.2, 16.0.1, 16.0.0
BIG-IP ASM
- 17.1.2, 16.0.1, 16.0.0
Managing External HSM Keys for LTM
Generating a key/certificate using tmsh
You can use the Traffic Management Shell (
tmsh
) to generate a key and certificate.- Log in to the command-line interface of the system using an account with administrator privileges.
- Open the TMOS Shell (tmsh).tmsh
- Generate the key.create sys crypto key<key_name>gen-certificate common-name<cert_name>nethsm-partition-name <partition-name> security-type nethsmThis example generates an external HSM key namedtest_keyand a certificate namedtest_nethsm.comwith the security type ofnethsmat HSM partition named "test_part1":create sys crypto key test_key gen-certificate common-name test_nethsm.com nethsm-partition-name test_part1 security-type nethsm
- Verify that the key was created.list sys crypto key test_key.keyInformation about the key displays:sys crypto key test_key.key { key-id <32-digit string> key-size 2048 key-type rsa-private nethsm-partition-name test_part1 security-type nethsm }
When
you generate a key/certificate using
tmsh
, the system creates a HSM private key. It also creates a local key,
which points to the HSM key, residing in the HSM.Creating a self-signed digital certificate
If you are configuring the BIG-IP system to
manage client-side HTTP traffic, you perform this task to create a self-signed
certificate to authenticate and secure the client-side HTTP traffic. If you are also
configuring the system to manage server-side HTTP traffic, you must repeat this task to
create a second self-signed certificate to authenticate and secure the server-side HTTP
traffic.
- On the Main tab, click.The Traffic Certificate Management screen opens.
- ClickCreate.
- In theNamefield, type a unique name for the SSL certificate.
- From theIssuerlist, selectSelf.
- In theCommon Namefield, type a name.This is typically the name of a web site, such aswww.siterequest.com.
- In theDivisionfield, type your department name.
- In theOrganizationfield, type your company name.
- In theLocalityfield, type your city name.
- In the orState or Provincefield, type your state or province name.
- From theCountrylist, select the name of your country.
- In theE-mail Addressfield, type your email address.
- In theLifetimefield, type a number of days, or retain the default,365.
- In theSubject Alternative Namefield, type a name.This name is embedded in the certificate for X509 extension purposes.By assigning this name, you can protect multiple host names with a single SSL certificate.
- From theSecurity Typelist, selectNetHSM.
- From theKey Typelist,RSAis selected as the default key type.
- From theSizelist, select a size, in bits.
- ClickFinished.
Importing a key from the HSM
You can use the BIG-IP Configuration utility to
import an key from the HSM.
- On the Main tab, click. The Traffic Certificate Management screen opens.
- Click theImportbutton.
- From theImport Typelist, selectKey.
- For theKey Namesetting, select theNewor theOverwrite Existingoption and find the key label from your HSM for the key you are going to import.
- For theKey Sourcesetting, selectFrom NetHSMand use the key label on NetHSM as the key name.
- From theNetHSM Partitionlist, selectDefault Partitionor choose from any other partitions available.
- ClickImport.
After you perform this task, the BIG-IP system
imports the specified key.
Importing a key from the HSM (using the tmsh)
You can use the Traffic Management Shell (tmsh) to
install a key to the BIG-IP from a specified partition at NetHSM.
- Log in to the command-line interface of the system using an account with administrator privileges.
- Open the TMOS Shell (tmsh).tmsh
- Install a key.tmsh install sys crypto key <key-name> security-type nethsm nethsm-partition-name <partition-name>
- Verify that the key was installed.For AWS, if the key is created using the AWS cloudHSM tool, make sure to set the following key attribute, CKA_ID, by adding-id, with a unique string, when creating the RSA key. For AWS, the CKA_ID attribute cannot be changed after the key is created, but is required for the key to be installed and used with BIG-IP. For example:genRSAKeyPair -m 2048 -e 65537 -l key_name-id key_name_idIf you use the F5 tmsh command to create the HSM key, follow the steps in theImporting a key from the HSM (using the tmsh)section.
Creating a new key at a specified partition at NetHSM
You can create a new key at a specified partition
at NetHSM by doing the following.
- On the Main tab, click. The SSL Certificate List screen opens.
- ClickCreate. The New SSL Certificate screen opens.
- In theNamefield, type a unique name for the certificate.
- From theIssuerlist, specify the type of certificate that you want to use.
- To request a certificate from a CA, selectCertificate Authority.
- For a self-signed certificate, selectSelf.
- In theCommon Namefield, enter a name (such asnethsm_ecdsa).
- From theSecurity Typelist, selectNetHSM.
- From theNetHSM Partitionlist, selectDefault Partitionor any other partition name available.
- From theKey Typelist, selectRSA,DSA, orECDSA.
- If you selectedECDSA, then from theCurvelist, select an elliptic curve.The elliptic curve secp521r1 is not supported on the F5 10350v-FIPS hardware platform.
- ClickFinished.
Creating a new key at a specified partition at NetHSM (using the tmsh)
You can use the Traffic
Management Shell (tmsh) to create a new key at a specified partition at NetHSM.
If
you do not specify the partition name, the first available HSM partition will be
used to create the key. The partition name associated with this key will be named
"auto" in BIG-IP.
- Log in to the command-line interface of the system using an account with administrator privileges.
- Open the TMOS Shell (tmsh).tmsh
- Create a new key.tmsh create sys crypto key <key-name> security-type nethsm nethsm-partition-name <partition-name>If you do not specify a partition name, the first detected partition will be used.
- Verify that the new key was created.
Requesting a certificate from a certificate authority
You perform this task to generate a certificate
signing request (CSR) that can then be submitted to a third-party trusted certificate
authority (CA).
F5 Networks recommends that you consult the CA to determine
the specific information required for each step in this task.
- On the Main tab, click.The Traffic Certificate Management screen opens.
- ClickCreate.
- In theNamefield, type a unique name for the SSL certificate.
- From theIssuerlist, selectCertificate Authority.
- In theCommon Namefield, type a name.This is typically the name of a web site, such aswww.siterequest.com.
- In theDivisionfield, type your department name.
- In theOrganizationfield, type your company name.
- In theLocalityfield, type your city name.
- In the orState or Provincefield, type your state or province name.
- From theCountrylist, select the name of your country.
- In theE-mail Addressfield, type your email address.
- In theLifetimefield, type a number of days, or retain the default,365.
- In theSubject Alternative Namefield, type a name.This name is embedded in the certificate for X509 extension purposes.By assigning this name, you can protect multiple host names with a single SSL certificate.
- In theChallenge Passwordfield, type a password.
- In theConfirm Passwordfield, re-type the password you typed in theChallenge Passwordfield.
- From theSecurity Typelist, selectNetHSM.
- From theKey Typelist,RSAis selected as the default key type.
- From theSizelist, select a size, in bits.
- ClickFinished.The Certificate Signing Request screen displays.
- Do one of the following to download the request into a file on your system.
- In theRequest Textfield, copy the certificate.
- ForRequest File, click the button.
- Follow the instructions on the relevant certificate authority web site for either pasting the copied request or attaching the generated request file.
- ClickFinished.The Certificate Signing Request screen displays.
The generated certificate signing request is submitted to a trusted certificate
authority for signature.
Deleting a key from the BIG-IP
You perform this
task to delete an existing key from the BIG-IP.
- On the Main tab, click.The Traffic Certificate Management screen opens.
- From theSSL Certificate List, select the check box next to the key you wish to delete.
- ClickDelete.
The key you selected is
deleted from BIG-IP.
The key stored in NetHSM is not
deleted.
Creating a client SSL profile to use an external HSM key and certificate
After you have added
the external HSM key and certificate to the BIG-IP system configuration, you can use the
key and certificate as part of a client SSL profile. This task describes using the
browser interface. Alternatively, you can use the Traffic Management Shell (
tmsh
) command-line
utility.- On the Main tab, click.The Client screen opens.
- ClickCreate.The New Client SSL Profile screen opens.
- In theNamefield, type a name for the profile.
- From theParent Profilelist, selectclientssl.
- From theConfigurationlist, selectAdvanced.This selection makes it possible for you to modify additional default settings.
- For the Configuration area, select theCustomcheck box.The settings in the Configuration area become available for modification.
- Using theCertificate Key Chainsetting, specify one or more certificate key chains:
- From theCertificatelist, select the name of a certificate that you imported.
- From theKeylist, select the name of the key that you imported.
- From theChainlist, select the chain that you want to include in the certificate key chain.
- ClickAdd.
- ClickFinished.
After you have
created the client SSL profile, you must assign the profile to a virtual server, so that
the virtual server can process SSL traffic according to the specified profile
settings.