Manual Chapter : SSL Certificate Management

Applies To:

Show Versions

BIG-IP APM

16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0

BIG-IP Analytics

16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0

BIG-IP LTM

16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0

BIG-IP PEM

16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0

BIG-IP AFM

16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0

BIG-IP DNS

16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0

BIG-IP ASM

16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0

SSL Certificate Management

Supported certificate/key types

The BIG-IP system supports multiple cipher suites when offloading SSL operations from a target server on the network. The BIG-IP system can support cipher suites that use these algorithms:

Rivest Shamir Adleman (RSA)

Elliptic Curve Digital Signature Algorithm (ECDSA)

Digital Signature Algorithm (DSA)

When you generate a certificate request or a self-signed certificate, you specify the type of private key, which determines the specific signing or encryption algorithm that is used to generate the private key.

On the BIG-IP system, limits on SSL transactions per second (TPS) with RSA cipher suites vary according to key size.

About RSA certificates

RSA

(Rivest Shamir Adleman) is the original encryption algorithm that is based on the concept of a public and a private key. When a public site attempts to communicate with a device such as the BIG-IP system, the device sends the site a public key that the site uses to encrypt data before sending that data back to the device. The device uses its private key associated with the public key to decrypt the data. Only the private key can be used to decrypt data encrypted with the public key.

The RSA encryption algorithm includes an authentication mechanism.

On the BIG-IP system, limits on SSL transactions per second (TPS) with RSA cipher suites vary according to key size.

About DSA certificates

DSA (Digital Signature Algorithm) uses a different algorithm for signing key exchange messages than that of RSA.

DSA

is paired with a key exchange method such as Diffie-Hellman or Elliptical Curve Diffie-Hellman to achieve a comparable level of security to RSA. Because DSA is generally endorsed by federal agencies, specifying a DSA key type makes it easier to comply with new government standards, such as those for specific key lengths.

About ECDSA certificates

When creating certificates on the BIG-IP system, you can create a certificate with a key type of ECDSA (Elliptic Curve Digital Signature Algorithm). An

ECDSA key

is based on Elliptic Curve Cryptography (ECC), and provides better security and performance with significantly shorter key lengths.

Encryption based on ECC is ideally suited for mobile devices that cannot store large keys.

For example, an RSA key size of 2048 bits is equivalent to an ECC key size of only 224 bits. As a result, less computing power is required, resulting in faster, more secure connections. The BIG-IP system supports the eilliptic curves prime256v1, secp384r1, and secp521r1.

The elliptic curve secp521r1 is not supported on the F5® 10350v-FIPS hardware platform.

About SSL certificate management

You can obtain a certificate for the BIG-IP system by using the BIG-IP Configuration utility to generate a certificate signing request (CSR) that can then be submitted to a third-party trusted certificate authority (CA). The CA then issues a signed certificate.

In addition to requesting CA-signed certificates, you can create self-signed certificates. You create self-signed certificates primarily for testing purposes within an organization.

When you install the BIG-IP software, the application includes a default self-signed certificate. The BIG-IP system also includes a default CA bundle certificate. This certificate bundle contains certificates from most of the well-known CAs.

To manage digital certificates for the BIG-IP system, you must have a role of Certificate Manager, Administrator, or Resource Administrator assigned to your BIG-IP user account.

See additional information regarding SM2 options later in this section for importing, managing, and exporting a certificate and key with SM2 license. The BIG-IP system added SM2, SM3, and SM4 Cryptographic Algorithm support for the Chinese market. The algorithms were independently developed by the China State Cryptography Administration, where SM2 is the public key algorithm, SM3 is the hash algorithm, and SM4 is the block cipher algorithm. SM2 is based on the Elliptic Curve Discrete Logarithm Problem (ECDLP).

Creating a self-signed certificate that contains an ECDSA key type

You can use this task to create a self-signed certificate with an ECDSA key type. The certificate is used to authenticate and secure either client-side or server-side HTTP traffic.

On the Main tab, click

System

Certificate Management

Traffic Certificate Management

The Traffic Certificate Management screen opens.

Click

Create

In the

Name

field, type a unique name for the SSL certificate.

From the Issuer list, select

Self.

In the

Common Name

field, type a name.

This is typically the name of a web site, such as

www.siterequest.com

In the

Division

field, type your department name.

In the

Organization

field, type your company name.

In the

Locality

field, type your city name.

In the or

State or Province

field, type your state or province name.

From the

Country

list, select the name of your country.

In the

E-mail Address

field, type your email address.

In the

Lifetime

field, type a number of days, or retain the default,

365

In the

Subject Alternative Name

field, type a name.

This name is embedded in the certificate for X509 extension purposes.

By assigning this name, you can protect multiple host names with a single SSL certificate.

From the

Key Type

list, select

ECDSA

From the

Curve

list, select an elliptic curve:

prime256v1	Creates a key that is 256 bits in length
secp384r1	Creates a key that is 384 bits in length
secp521r1	Creates a key that is 521 bits in length

In general, longer keys can impact performance but are more secure. Shorter keys result in better performance but are less secure.

Click

Finished

The name of the self-signed certificate appears in the list of certificates on the system.

Requesting a CA-signed certificate that contains an ECDSA key type

You can generate a certificate that includes an Elliptic Curve Digital Signature Algorithm (ECDSA) key type, and then copy it or submit it to a trusted certificate authority for signature.

On the Main tab, click

System

Certificate Management

Traffic Certificate Management

The Traffic Certificate Management screen opens.

Click

Create

In the

Name

field, type a unique name for the SSL certificate.

From the

Issuer

list, select

Certificate Authority

In the

Common Name

field, type a name.

This is typically the name of a web site, such as

www.siterequest.com

In the

Division

field, type your department name.

In the

Organization

field, type your company name.

In the

Locality

field, type your city name.

In the or

State or Province

field, type your state or province name.

From the

Country

list, select the name of your country.

In the

E-mail Address

field, type your email address.

In the

Lifetime

field, type a number of days, or retain the default,

365

In the

Subject Alternative Name

field, type a name.

This name is embedded in the certificate for X509 extension purposes.

By assigning this name, you can protect multiple host names with a single SSL certificate.

In the

Challenge Password

field, type a password.

In the

Confirm Password

field, re-type the password you typed in the

Challenge Password

field.

From the

Key Type

list, select

ECDSA

From the

Curve

list, select an elliptic curve:

prime256v1	Creates a key that is 256 bits in length
secp384r1	Creates a key that is 384 bits in length
secp521r1	Creates a key that is 521 bits in length

In general, longer keys can impact performance but are more secure. Shorter keys result in better performance but are less secure.

Do one of the following to download the request into a file on your system.

In the

Request Text

field, copy the certificate.

For

Request File

, click the button.

Follow the instructions on the relevant certificate authority web site for either pasting the copied request or attaching the generated request file.

Click

Finished

The Certificate Signing Request screen displays.

The generated certificate is submitted to a trusted certificate authority for signature.

Creating a FIPS-type self-signed certificate

You can use this task to create a self-signed certificate to authenticate and secure either client-side or server-side HTTP traffic.

On the Main tab, click

System

Certificate Management

Traffic Certificate Management

The Traffic Certificate Management screen opens.

Click

Create

In the

Name

field, type a unique name for the SSL certificate.

From the Issuer list, select

Self.

In the

Common Name

field, type a name.

This is typically the name of a web site, such as

www.siterequest.com

In the

Division

field, type your department name.

In the

Organization

field, type your company name.

In the

Locality

field, type your city name.

In the or

State or Province

field, type your state or province name.

From the

Country

list, select the name of your country.

In the

E-mail Address

field, type your email address.

In the

Lifetime

field, type a number of days, or retain the default,

365

In the

Subject Alternative Name

field, type a name.

This name is embedded in the certificate for X509 extension purposes.

By assigning this name, you can protect multiple host names with a single SSL certificate.

From the

Security Type

list, select

FIPS

From the

Key Type

list, select

RSA

DSA

, or

ECDSA

If you selected

ECDSA

, then from the

Curve

list, select an elliptic curve.

The elliptic curve secp521r1 is not supported on the F5® 10350v-FIPS hardware platform.

Click

Finished

The name of the self-signed certificate appears in the list of certificates on the system.

Requesting a FIPS-type CA-signed certificate

Use this task to create a request for a certificate with FIPS type security from a certificate authority.

On the Main tab, click

System

Certificate Management

Traffic Certificate Management

SSL Certificate List

This displays the list of certificates installed on the system.

Click

Create

The New SSL Certificate screen opens.

In the

Name

field, type a unique name for the certificate.

From the

Issuer

list, specify the type of certificate that you want to use.

To request a certificate from a CA, select

Certificate Authority

For a self-signed certificate, select

Self

Configure the

Common Name

setting and any other settings as needed.

From the

Security Type

list, select

FIPS

From the

Key Type

list, select

RSA

DSA

, or

ECDSA

If you selected

ECDSA

, then from the

Curve

list, select an elliptic curve.

The elliptic curve secp521r1 is not supported on the F5® 10350v-FIPS hardware platform.

Click

Finished

Converting a key to FIPS format

You can use the BIG-IP Configuration utility to convert an existing key to a FIPS key.

On the Main tab, click

System

Certificate Management

Traffic Certificate Management

SSL Certificate List

Click a certificate name.

This displays the properties of that certificate.

On the menu bar, click

Key

This displays the type and size of the key associated with the certificate.

Click

Convert to FIPS

to convert the key to a FIPS key.

The key is converted and appears in the list as a FIPS key. After the key is converted, this process cannot be reversed.

About SSL file import

You can import several types of SSL files onto the BIG-IP system.

Importing a certificate signed by a certificate authority

Before performing this task, confirm that a digital certificate signed by a certificate authority (CA) is available.

You can install an SSL certificate signed by a CA by importing a certificate that already exists on the hard drive of the management workstation. You can import a private key, a certificate or certificate bundle, or an archive.

On the Main tab, click

System

Certificate Management

Traffic Certificate Management

The Traffic Certificate Management screen opens.

Click the

Import

button.

From the

Import Type

list, select

Certificate

For the

Certificate Name

setting:

If you are importing a new certificate, select

Create New

and type a unique name in the field.

If you are replacing an existing certificate, select

Overwrite Existing

and select a certificate name from the list.

For the

Certificate Source

setting, do one of the following:

Select the

Upload File

option, and browse to the location of the certificate file.

Select the

Paste Text

option, and paste the certificate text copied from another source.

Click

Import

After you perform this task, the SSL certificate that was signed by a CA is installed.

Importing an SSL key

You can use the BIG-IP Configuration utility to import an SSL key onto the BIG-IP system from another location.

On the Main tab, click

System

Certificate Management

Traffic Certificate Management

The Traffic Certificate Management screen opens.

Click the

Import

button.

From the

Import Type

list, select

Key

For the

Key Name

setting, do one of the following:

Select the

Create New

option, and type a unique name in the field.

Select the

Overwrite Existing

option, and select a certificate name from the list.

For the

Key Source

setting, do one of the following:

Select the

Upload File

option, and browse to the location of the key file.

Select the

Paste Text

option, and paste the key text copied from another source.

In the

Password

field, type the password associated with the import source.

from the

Security Type

list, select a security type.

Click

Import

After you perform this task, the BIG-IP system imports the specified key.

Importing a PKCS-formatted file

You can use the BIG-IP Configuration utility to import file onto the BIG-IP system that is in Public Key Cryptography Standards (PKCS) number 12 format.

On the Main tab, click

System

Certificate Management

Traffic Certificate Management

The Traffic Certificate Management screen opens.

Click the

Import

button.

From the

Import Type

list, select

PKCS 12 (IIS)

For the

Certificate Name

setting, type a certificate name.

For the

Certificate Source

setting, click

Browse

and locate the source file.

In the

Password

field, type the password associated with the import source.

from the

Security Type

list, select a security type.

Click

Import

After you perform this task, the BIG-IP system imports the specified PKCS 12-formatted file.

Importing a PKCS-formatted file with SM2 license

You can use the BIG-IP Configuration utility to import file onto the BIG-IP system that is in Public Key Cryptography Standards (PKCS) number 12 format with an SM2 license.

On the Main tab, click

System

Certificate Management

Traffic Certificate Management

The Traffic Certificate Management screen opens.

Click the

Import

button.

From the

Import Type

list, select

PKCS 12 (IIS)

For the

Certificate and Key Name

setting, select

New

and type a certificate name.

For the

Certificate and Key Source

setting, click

SM2

. Click

Choose File

for both

Signing

and

Encryption

to select the associated source files.

In the

Password

field, type the password associated with the import source.

From the

Key Security

list, sselect a security type to specify the level of security to use when importing and storing a key. For example a Security Type of Password means that you specify a password to protect the imported key. The password must be provided when the key is used. The default is

Normal

: Specifies that the key file is imported without password protection. In this case, the key resides in a standard form on the file system.

Password

: Specifies that the key is protected by a passphrase and stored in encrypted form. When you select this option, you must also specify a passphrase in the

Password

text box.

Click

Import

After you perform this task, the BIG-IP system imports the specified PKCS 12-formatted file with a SM2 license.

You are now ready to create a SM2 cihper rule and cipher group to use when creating a customer Client SSL profile that supports SM2. See the

Create a custom Client SSL profile that supports SM2

section in this guide for detailed steps.

Importing an archive file

You can use the BIG-IP Configuration utility to upload an archive file onto the BIG-IP system.

On the Main tab, click

System

Certificate Management

Traffic Certificate Management

The Traffic Certificate Management screen opens.

Click the

Import

button.

For the

Upload Archive File

setting, click

Browse

and select the file to be imported.

Click the

Load

button.

After you perform this task, the BIG-IP system uploads an archive file onto the BIG-IP system.

Exporting an SSL certificate

You perform this task to export an SSL certificate to another device.

On the Main tab, click

System

Certificate Management

Traffic Certificate Management

The Traffic Certificate Management screen opens.

Click the name of the certificate you want to export.

The General Properties screen displays.

Click

Export

The Certificate Export screen displays the contents of the certificate in the

Certificate Text

box.

To obtain the certificate, do one of the following:

Copy the text from the

Certificate Text

field, and paste it as needed into an interface on another system.

At the

Certificate File

option, click

Download filename

where the filename is the name of the certificate file, such as

mycert.crt

Exporting an SSL certificate to another device with an SM2 license

You perform this task to export an SSL certificate to another device with an SM2 license.

On the Main tab, click

System

Certificate Managment

Traffic Certificate Managment

The Traffic Certificate Management screen opens.

Click the name of the SM2 certificate you want to export.

The General Properties screen displays.

Click

Export

The Certificate Export screen displays the contents of the certificate in the

Certificate Text

box.

To obtain the certificate, do one of the following:

Copy the text from the

Certificate Text

field, and paste it as needed into an interface on another system with an SM2 license.

At the

Certificate File

option, click

Download Filename

where the filename of the certificate file, such as mycert.crt.

After you perform this task, the BIG-IP system uploads an archive file onto the BIG-IP system.

Viewing a list of certificates on the system

You can perform this task to view a list of existing digital certificates on the BIG-IP system.

On the Main tab, click

System

Certificate Management

Traffic Certificate Management

The Traffic Certificate Management screen opens.

In the Name column, view the list of certificates on the system.

Viewing a list of SM2 certificates on the system

You can perform this task to view a list of existing digital certificates on the BIG-IP system.

On the Main tab, click

System

Certificate Management

Traffic Certificate Management

The Traffic Certificate Management screen opens.

In the

Name

column, select your SM2 certificate and key to view the details on the system. The

Contents

column will also indicate the item is a

SM2 Certificate & Key

You can now view your SM2 certificate and key details.

Digital SSL certificate properties

From the BIG-IP Configuration utility, you can see the properties of the SSL digital certificates you have installed on the BIG-IP system.

Property	Description
Certificate	The name of the certificate.
Content	The type of certificate content, for example, Certificate Bundle or Certificate and Key.
Common name	The common name (CN) for the certificate. The common name embedded in the certificate is used for name-based authentication. The default common name for a self-signed certificate is localhost.localdomain .
Expiration date	The date that the certificate expires. If the certificate is a bundle, this information shows the range of expiration dates that apply to certificates in the bundle.
Organization	The organization name for the certificate. The organization name embedded in the certificate is used for name-based authentication. The default organization for a self-signed certificate is MyCompany .

About certificate bundle management

You can use the bundle manager to automatically update and install certificate authority (CA) bundles on the system from two sources: local certificate file objects and remote URL resources. By using the

Include Bundles

and

Include URLs

options, you can combine CA certificates from various sources to create a new, customized CA bundle. You can also use the

Exclude Bundles

and

Exclude URLs

options to remove certain CA certificates from the resulting CA bundle file. The newly created or modified CA bundle file is installed as a certificate-file-object on the system and used as a trusted CA bundle by other modules.

In addition, you can set the update frequency of the CA bundle, or use a web proxy for downloading the remote URL resources. By default, a newly created CA bundle manager does not create or update the managed CA bundle object. Exceptions are if the CA bundle manager has a positive update interval or is explicitly told to do so since you have set the

Update Now

option.

Creating a new certificate bundle

You can create a new certificate authority (CA) bundle, and specify bundles and URLs to include or exclude. You can also set the update frequency of the CA bundle, or use a web proxy for downloading the remote URL resources.

The resulting bundle file will be named the same as the bundle manager object.

By default, a newly created CA bundle manager does not create or update the managed CA bundle object unless the CA bundle manager has a positive

Update Interval

or is explicitly told to do so by the

Update Now

option.

On the Main tab, click

System

Certificate Management

Traffic Certificate Management

Bundle Manager List

The Bundle Manager List screen opens.

Click

Create

From the

Include Bundles

Available

list, select the certificate file objects to include for generating a new CA bundle.

In the

Include URLs

field, type the URL where remote CA bundles reside, and click

Add

to include that for generating the new CA bundle.

Only HTTPS URLs are allowed in the

Include URLs

fields.

From the

Exclude Bundles

Available

list, select the certificate file objects to exclude from the new CA bundle.

In the

Exclude URLs

field, type the URL where remote CA bundles reside, and click

Add

to exclude it from the new CA bundle.

Only HTTPS URLs are allowed in the

Exclude URLs

fields.

In the

Update Interval

field, type the number of days at which to refresh the remote CA bundles at the URLs.

The default value is set to

and indicates that the generated CA bundle is not dynamically updated.

If you want the CA bundle manager to immediately refresh its generated CA bundle from all its sources and recalculate its certificate contents, select the

Update Now

check box.

The default value is disabled.

From the

Trusted CA-Bundle

list, select the CA bundle that this CA bundle manager will use to download remote CA bundles in the include and exclude URLs.

In the

Proxy Server

field, type the host name or IP address of the proxy server for accessing remote URL resources.

Only HTTP proxy is supported. You may optionally prepend

http://

to the host name or IP address.

In the

Proxy Server Port

field, type the port number of the proxy server for accessing remote URL resources.

The default is

3128

In the

Download Timeout

field, specify the timeout period, in seconds, to download the remote CA bundles from the URLs.

The value range is from 1 to 3600 (1 hour) seconds.

The default value is

seconds.

Click

Finished

The system installs a generated CA bundle file as a certificate-file-object on the system to be used as a trusted CA bundle by other modules.

Modifying an existing certificate bundle

You can use the bundle manager to modify an existing certificate authority (CA) bundle.

On the Main tab, click

System

Certificate Management

Traffic Certificate Management

Bundle Manager List

The Bundle Manager List screen opens listing all existing CA bundles and their name, update interval, proxy server, trusted CA-bundle, and partition/path details.

From the

Bundle Manager List

, click the name of the CA bundle that you want to modify.

The Properties screen opens showing the selected CA bundle general properties and configuration details

Select the

Update Now

check box if you want the bundle to be updated.

Modify any of the configuration details needed, and click

Update

The system updates the selected CA bundle’s configuration with the modified configuration details.

Deleting an existing certificate bundle

You can use the bundle manager to delete an existing certificate authority (CA) bundle.

On the Main tab, click

System

Certificate Management

Traffic Certificate Management

Bundle Manager List

The Bundle Manager List screen opens listing all existing CA bundles and their name, update interval, proxy server, trusted CA-bundle, and partition/path details.

Select the check box next to the name of the CA bundle that you want to delete.

Click

Delete

You can also delete a CA bundle on the Properties screen by clicking

Delete

at the bottom of the screen.

Deleting the CA bundle manager does not delete the managed CA bundle file object. You should delete the CA bundle file object separately or you might receive an error message indicating that your managed CA bundle file object is referenced by a CA bundle manager.

This deletes the selected CA bundle from the system.

About certificate order management

The BIG-IP system supports a unified interface for F5 customers to manage Certificate Authority (CA) certificate operations within the BIG-IP. Currently, F5 supports the following Certificate Authorities for which the BIG-IP automatically generates certificates using their APIs:

Comodo (now known as Sectigo)

Symantec (purchased by Digicert)

GoDaddy

DigiCert

You can generate, renew, and revoke certificates as necessary after setting up general properties, authentication details, certificate authority request order information, and internal proxy connection details.

A CA request is made up of multiple pieces of information from both the Certificate Order Manager and the Certificate Signing Request (CSR). This information is combined in the API request sent to the vendor. For example, the Certificate Order Manager object maintains information about contacting the CA, including authentication information and URI. It also maintains information about the type of certificate product being purchased from the vendor. The CSR, created during the certificate key creation in TMOS, maintains information about the specific host, or hosts, that the certificate is intended to cover (such as their common name, email address, and other information). With this information combined in the API request and sent to the vendor, it allows you to configure one certificate order for multiple certificates that use common certificate types and durations.

Make sure to read the Certificate Authority documentation you select so to better understand and note specific CA requirements, APIs, and other information that you will need so to complete the new certificate order information fields. Each Certificate Authority requires different information to generate a CA order. You will need to map the external CA information in their documentation to the fields in this task.

Generating a new certificate order (Comodo)

Before setting up the CA order, you must first do one of the following:

Setup a DNS responder in the system. Note: This does not apply to the DNS setup done during the system setup wizard.

Setup and configure a proxy server pool in your system's environment.

Make sure you have an account with the CA that is being setup for API access.

To generate a new Comodo certificate order, use the following steps.

Comodo is now known as Sectigo. For Comodo certificate manager tool and account information, see the official Sectigo web site. Make sure to read the Sectigo documentation and refer to it as necessary to understand their requirements, APIs, and other information that will help you complete the new certificate order information fields. In this documentation, and in the BIG-IP UI, F5 refers to Comodo as the CA name.

Each CA requires different information to generate a CA order. Depending on the CA you select, certificate order fields will vary and are tailored to be vendor specific. The certificate order manager information will be paired with the CSR information, which is created when configuring the certificate key in TMOS (this maintains information about the specific host or hosts that the certificate is intended to cover, such as their common name, email address, etc.). These are combined in the API request that is sent to the vendor.

On the Main tab, click

System

Certificate Management

Traffic Certificate Management

Certificate Order Manager List

. The Certificate Order Manager List screen opens.

Click

Create

In the

Name

field, type a unique name for the certificate order manager. If you create a group of keys, this name will represent them.

From the

Certificate Authority

list, select

Comodo

Comodo is the default certificate authority selected.

The

Auto Renew

field is selected by default.

In the

field, type a unique login name. Use the same login name you use with your Comodo CA account.

In the

field, type a password. Use the same login password you use with your Comodo CA account.

For Comodo, F5 recommends you use a dedicated user for API access with limited rights to specific items rather than the overall administrator object used at log in.

In the

Validity Days

field, type the number of days the certificate authority request remains valid.

Check with your specific CA account to enter a valid number of days. Most CAs allow you to select in 365 day increments.

For Comodo, this number must later match one of the options configured in the CCM for the certificate type.

In the

Base URL

field, type your CA account’s base URL if it is different from the default base URL provided by the CA.

In the

Additional HTTP Headers

field, type the CA’s specific key value pair (separated by a colon). You can add additional key value pairs by separating them with a semicolon. In this instance, the key is the unique customer URI and the value is specific to the user. For example, you must have the following string:

customerURI:<customer uri>

. The

is replaced with the actual customer URI.

Check with your specific CA account documentation to determine how to use their API information and determine required additional HTTP header information.

This field is required for the Comodo CA order. When you create an account with Comodo, the customer URI is unique to Comodo CA and is provided for customer use. The Comodo customer URI is found by looking at the URI used to access the Comodo certificate manager. For example, if the URI for Comodo is

https://cert-manager.com/customer/my-customer-uri/locale=en#0

, then the customer URI is between

customer/

and before

/locale

and is, in this example,

my-customer-uri

From the

CA Certificate

list, select the trusted CA certificate/certificate bundle to authenticate the TLS connection with the CA server. The default CA bundle is

ca-bundle

In the

Order Information

fields, fill in the information required by your selected CA.

Each CA will require different order information and will display different required fields. Check your CA’s official documentation to provide required values.

The options in the

Order Information

field are based on the CA you chose in the General Properties and are required to successfully generate a new certificate order. As you fill in the name

Values

, the text field at the bottom of the

Order Information

section will automatically populate with your CA configuration.

Select the

Edit as text box

if you would like to alternatively type, or copy and paste, your existing CA configuration information directly into the field provided at the bottom of the

Order Information

section. If you add the CA configuration information in this manner, the required fields in

Order Information

will be automatically populated with the values you input for each required

Name

field.

For Comodo, after entering the

OrgID

, enter

-1

in the

Server Type

field to indicate that the certificate is for the server type

other

Use your CA account documentation to complete the required configuration fields provided.

Click

Add

to add additional

Name

and

Value

fields from the list. This list is of names you can add are specific to the CA account you have chosen.

For Comodo CA, you can also click Add next to the Custom Fields name and type a custom Name not available in the list.

Click

Delete

after selecting to remove any additional

Name

and

Value

fields you have added.

You may not delete any CA API information required by your CA.

As you enter values in this section and the text field auto fills with your configuration details, you can see the original name of the keys in the CA API.

Mapping of required F5 names to the original name of the keys in the Comodo CA API
F5 Names in Order Information	Vendor Keys in the CA API
Org ID	orgId
Server Type	serverType

F5 recommends that you verify the order information with the vendor before using in production.

In the

Internal Proxy

fields, do the following to setup an internal proxy to allow outside communications:

Select

New Internal Proxy

Internal Proxy List

You can also manage existing internal proxies, or create new internal proxies, by selecting

System

Services

Internal Proxies

and either select an existing internal proxy name to edit or click

Create

to create a new one.

New Internal Proxy

: If you select to create a new internal proxy, you must type a name, specify if you are using a proxy server (and provide

Proxy Server Pool

details), specify the

DNS Resolver

and

Route Domain

(optional) information.

Internal Proxy List

: If you select to use an existing internal proxy list, select it from the available items in the list.

Click

Finished

You have now successfully generated a new Comodo certificate order manager object.

You are now ready to create:

a new SSL certificate

check certificate request status

renew a certificate

revoke a certificate.

Generating a new certificate order (Symantec)

Before setting up the CA order, you must first do one of the following:

Setup a DNS responder in the system. Note: This does not apply to the DNS setup done during the system setup wizard.

Setup and configure a proxy server pool in your system's environment.

Make sure you have an account with the CA that is being setup for API access.

To generate a new Symantec certificate order, use the following steps.

Symantec is now known as Digicert (after Digicert purchased Symantec). In this documentation, and in the BIG-IP UI, F5 refers to Symantec as the CA name. For Symantec certificate manager tool and account information, see the official Symantec (or Digicert as needed) web site.

On the Main tab, click

System

Certificate Management

Traffic Certificate Management

Certificate Order Manager List

. The Certificate Order Manager List screen opens.

Click

Create

In the

Name

field, type a unique name for the certificate order manager. If you create a group of keys, this name will represent them.

From the

Certificate Authority

list, select

Symantec

Comodo is the default certificate authority selected.

The

Auto Renew

field is selected by default.

From the

Client Certificate

list, select the required client certificate.

For Symantec, the user must be authorized for the VICE2 web services application role (

in the Roles list). This can be checked by logging into your Symantec account.

From the

Client Key

list, select the required client key.

In the

Key Passphrase

field, type the CA’s key passphrase.

In the

Validity Days

field, type the number of days the certificate authority request remains valid.

Check with your specific CA account to enter a valid number of days. Most CAs allow you to select in 365 day increments.

In the

Base URL

field, type your CA account’s base URL if it is different from the default base URL provided by the CA.

Leave the

Additional HTTP Headers

field blank. Symantec does not require this information.

From the

CA Certificate

list, select the trusted CA certificate/certificate bundle to authenticate the TLS connection with the CA server. The default CA bundle is

ca-bundle

In the

Order Information

fields, fill in the information required by your selected CA.

Each CA will require different order information and will display different required fields. Check your CA’s official documentation to provide required values.

The options in the

Order Information

field are based on the CA you chose in the General Properties and are required to successfully generate a new certificate order. As you fill in the name

Values

, the text field at the bottom of the

Order Information

section will automatically populate with your CA configuration.

Select the

Edit as text box

if you would like to alternatively type, or copy and paste, your existing CA configuration information directly into the field provided at the bottom of the

Order Information

section. If you add the CA configuration information in this manner, the required fields in

Order Information

will be automatically populated with the values you input for each required

Name

field.

Use your CA account documentation to complete the required configuration fields provided.

Click

Add

to add additional

Name

and

Value

fields from the list. This list is of names you can add are specific to the CA account you have chosen.

Click

Delete

after selecting to remove any additional

Name

and

Value

fields you have added.

You may not delete any CA API information required by your CA.

As you enter values in this section and the text field auto fills with your configuration details, you can see the original name of the value

Names

Mapping required F5 names to the original name of the keys in the Symantec CA API
F5 Names in Order Information	Vendor Keys in the CA API
First Name	firstName
Last Name	lastName
Email	email
Product Type	certProductType
Server Type	serverType

F5 recommends that you verify the order information with the vendor before using in production.

In the

Internal Proxy

fields, do the following to setup an internal proxy to allow outside communications:

Select

New Internal Proxy

Internal Proxy List

You can also manage existing internal proxies, or create new internal proxies, by selecting

System

Services

Internal Proxies

and either select an existing internal proxy name to edit or click

Create

to create a new one.

New Internal Proxy

: If you select to create a new internal proxy, you must type a name, specify if you are using a proxy server (and provide

Proxy Server Pool

details), specify the

DNS Resolver

and

Route Domain

(optional) information.

Internal Proxy List

: If you select to use an existing internal proxy list, select it from the available items in the list.

Click

Finished

You have now successfully generated a new Symantec certificate order manager object.

You are now ready to create:

a new SSL certificate

check certificate request status

renew a certificate

revoke a certificate.

Generating a new certificate order (GoDaddy/DigiCert)

Before setting up the CA order, you must first do one of the following:

Setup a DNS responder in the system. Note: This does not apply to the DNS setup done during the system setup wizard.

Setup and configure a proxy server pool in your system's environment.

Make sure you have an account with the CA that is being setup for API access.

The following products that are currently supported under 'type_hint' for DigiCert:

ssl_plus

ssl_multi_domain

ssl_wildcard

ssl_ev_plus

ssl_ev_multi_domain

To generate a new Godaddy/DigiCert certificate order, use the following steps.

On the Main tab, click

System

Certificate Management

Traffic Certificate Management

Certificate Order Manager List

. The Certificate Order Manager List screen opens.

Click

Create

In the

Name

field, type a unique name for the certificate order manager. If you create a group of keys, this name will represent them.

From the

Certificate Authority

list, select

GoDaddy

DigiCert

Comodo is the default certificate authority selected.

The

Auto Renew

field is selected by default.

In the

Security Token

field, specify the GoDaddy or DigiCert CA account access security token.

In the

Validity Days

field, type the number of days the certificate authority request remains valid.

Check with your specific CA account to enter a valid number of days. Most CAs allow you to select in 365 day increments.

In the

Base URL

field, type your CA account’s base URL if it is different from the default base URL provided by the CA.

Leave the

Additional HTTP Headers

field blank.

From the

CA Certificate

list, select the trusted CA certificate/certificate bundle to authenticate the TLS connection with the CA server. The default CA bundle is

ca-bundle

In the

Order Information

fields, fill in the information required by your selected CA.

Each CA will require different order information and will display different required fields. Check your CA’s official documentation to provide required values.

The options in the

Order Information

field are based on the CA you chose in the General Properties and are required to successfully generate a new certificate order. As you fill in the name

Values

, the text field at the bottom of the

Order Information

section will automatically populate with your CA configuration.

Select the

Edit as text box

if you would like to alternatively type, or copy and paste, your existing CA configuration information directly into the field provided at the bottom of the

Order Information

section. If you add the CA configuration information in this manner, the required fields in

Order Information

will be automatically populated with the values you input for each required

Name

field.

Use your CA account documentation to complete the required configuration fields provided.

Click

Add

to add additional

Name

and

Value

fields from the list. This list is of names you can add are specific to the CA account you have chosen.

Click

Delete

after selecting to remove any additional

Name

and

Value

fields you have added.

You may not delete any CA API information required by your CA.

In the

Internal Proxy

fields, do the following to setup an internal proxy to allow outside communications:

Select

New Internal Proxy

Internal Proxy List

You can also manage existing internal proxies, or create new internal proxies, by selecting

System

Services

Internal Proxies

and either select an existing internal proxy name to edit or click

Create

to create a new one.

New Internal Proxy

: If you select to create a new internal proxy, you must type a name, specify if you are using a proxy server (and provide

Proxy Server Pool

details), specify the

DNS Resolver

and

Route Domain

(optional) information.

Internal Proxy List

: If you select to use an existing internal proxy list, select it from the available items in the list.

Click

Finished

You have now successfully generated a new Godaddy/DigiCert certificate order manager object.

You are now ready to create:

a new SSL certificate

check certificate request status

renew a certificate

revoke a certificate.

Creating a new SSL certificate and key

After creating a new certificate order you will need to request a new certificate from the CA. In order to create a certificate, you will generate a key and Certificate Signing Request (CSR), followed by uploading the CSR to the CA. The CA then generates that will be downloaded and imported into the BIG-IP.

On the Main tab, click

System

Certificate Management

Traffic Certificate Management

SSL Certificate List

. The SSL Certificate List screen opens.

Click

Create

. The New SSL Certificate screen opens.

In the

Name

field, type a unique name for the new SSL certificate.

From the

Issuer

list, select

Certificate Authority

to create a request for a certificate/key pair to be sent to a certificate authority. When you send a request to a certificate authority, the certificate authority returns a signed certificate which you then install on the system.

In the

Common Name

field, type the common name attribute for the certificate. The common name is embedded in the certificate for name-based authentication purposes.

Configure any necessary fields in the

Certificate Signing Request Attributes

section.

From the

Certificate Order Manager

list, select the certificate order manager created in the Certificate Order Manager List screen.

From the

Order Type

list, select

New

In the

Order Passphrase

field, type a password that contains at least one special character, one numeric digit, one lowercase letter, and one uppercase letter.

This is only required for Symantec.

Click

Finished

. The Certificate Signing Request screen opens.

Review any necessary details and click

Finished

Select the

Key

tab. The CA’s Key Properties and Certificate Order Properties screen opens.

In the

Certificate Order

field,

Order Status

will first show

In Progress

, followed by a status of

New Oder Pending

, and finishing with

New Order Approved

Click

Refresh

to update the UI as necessary.

Click

Download Certificate(s) Now

to manually check for the status of the order and download the certificate if it has been approved. Click

Refresh

for the page to be updated with the result. The

Order Status

field now shows

New Order Approved

Select the

Certificate

tab. Note that the certificate has now been installed (view details shared in the

Certificate Properties

section.

Your new CA certificate has been successfully installed.

Renewing an existing SSL certificate and key

To renew an existing SSL certificate and key, use the following steps.

On the Main tab, click

System

Certificate Management

Traffic Certificate Management

SSL Certificate List

. The SSL Certificate List screen opens.

From the

Name

column, select the existing CA certificate and key you want to renew from the list. The Certificate screen opens.

Select the

Key

tab. The Key screen opens showing the Key Properties and the Certificate Order Properties.

In the

Certificate Order

section, do the following if you selected a Comodo certificate and key from the list:

From the

Type

list, select

Renew

In the

field, type the order ID.

The order ID is provided by the CA and the BIG-IP stores it in the order ID field. The order ID is required for a certificate to be renewed. If the first certificate was not originally ordered from the BIG-IP, you must manually enter the order ID before renewing a certificate.

Click

Update

. The

Order Status

field will show

Revoke Order Approved

. If any necessary information is not filled in, the

Order Status

will change to

New Order Rejected

In the

Certificate Order

section, do the following if you selected a Symantec certificate and key from the list:

From the

Type

list, select

Renew

In the

Passphrase

field, you must type the required challenge passphrase for your certificate order to be approved.

In the

field, make sure the order ID is present.

Click

Update

. The

Order Status

field will change to

Revoke Order Approved

From the

Type

list, you can also select

New

to create a new certificate order to the CA.

You have successfully renewed your existing SSL certificate and key.

Revoking an existing SSL certificate and key

To revoke an existing SSL certificate and key, use the following steps. Revoking an existing certificate and key can be necessary if it has been compromised, its affiliation has changed, and other reasons.

On the Main tab, click

System

Certificate Management

Traffic Certificate Management

SSL Certificate List

. The SSL Certificate List screen opens.

From the

Name

column, select the existing CA certificate and key you want to revoke from the list. The Certificate screen opens.

Select the

Key

tab. The Key screen opens showing the Key Properties and the Certificate Order Properties.

In the

Certificate Order

section, do the following if you selected a Comodo certificate and key from the list:

From the

Type

list, select

Revoke

From the

Revoke Reason

list, select the reason you are revoking the existing SSL certificate and key.

In the

field, type the order ID.

The order ID is provided by the CA and the BIG-IP stores it in the order ID field. The order ID is required for a certificate to be revoked. If the first certificate was not originally ordered from the BIG-IP, you must manually enter the order ID before revoking a certificate.

Click

Update

. The

Order Status

field will change to

Revoke Order Approved

. If any necessary information is not filled in, the

Order Status

will change to

New Order Rejected

In the

Certificate Order

section, do the following if you selected a Symantec certificate and key from the list:

From the

Type

list, select

Revoke

In the

Passphrase

field, you must type the required challenge passphrase for your certificate order revoke request to be approved.

In the

field, make sure the order ID is present.

Click

Update

. The

Order Status

field will change to

Revoke Order Approved

From the

Type

list, you can also select

Cancel

to cancel the previous certificate order to the CA. However, if the order was already sent to the server, the CA will still issue a certificate and cannot be cancelled.

You have successfully revoked your existing SSL certificate and key.

Modifying an existing certificate order manager

To modify an existing certificate order manager, use the following steps:

On the Main tab, click

System

Certificate Management

Traffic Certificate Management

Certificate Order Manager List

. The Certificate Order Manager List screen opens.

Click the

Name

of the certificate you want to modify.

Modify necessary fields and click

Update

You have now successfully modified an existing certificate order.

Deleting an existing certificate order manager

To delete an existing certificate order manager, use the following steps:

On the Main tab, click

System

Certificate Management

Traffic Certificate Management

Certificate Order Manager List

. The Certificate Order Manager List screen opens.

Select the check box next to the

Name

of the certificate you want to delete.

Click

Delete

You have now successfully deleted an existing certificate order.

Subscriptions

Product Usage

Trials

Registration Keys

Downloads

Applies To:

BIG-IP APM

BIG-IP Analytics

BIG-IP LTM

BIG-IP PEM

BIG-IP AFM

BIG-IP DNS

BIG-IP ASM

SSL Certificate Management

Supported certificate/key types

About RSA certificates

About DSA certificates

About ECDSA certificates

About SSL certificate management

Creating a self-signed certificate that contains an ECDSA key type

Requesting a CA-signed certificate that contains an ECDSA key type

Creating a FIPS-type self-signed certificate

Requesting a FIPS-type CA-signed certificate

Converting a key to FIPS format

About SSL file import

Importing a certificate signed by a certificate authority

Importing an SSL key

Importing a PKCS-formatted file

Importing a PKCS-formatted file with SM2 license

Importing an archive file

Exporting an SSL certificate

Exporting an SSL certificate to another device with an SM2 license

Viewing a list of certificates on the system

Viewing a list of SM2 certificates on the system

Digital SSL certificate properties

About certificate bundle management

Creating a new certificate bundle

Modifying an existing certificate bundle

Deleting an existing certificate bundle

About certificate order management

Generating a new certificate order (Comodo)

Generating a new certificate order (Symantec)

Generating a new certificate order (GoDaddy/DigiCert)

Creating a new SSL certificate and key

Renewing an existing SSL certificate and key

Revoking an existing SSL certificate and key

Modifying an existing certificate order manager

Deleting an existing certificate order manager

Have a Question?

Follow Us

About F5

Education

F5 Sites

Support Tasks