Manual Chapter : SSL Certificate Management

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0

BIG-IP Analytics

  • 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0

BIG-IP LTM

  • 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0

BIG-IP PEM

  • 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0

BIG-IP AFM

  • 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0

BIG-IP DNS

  • 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0

BIG-IP ASM

  • 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
Manual Chapter

SSL Certificate Management

Supported certificate/key types

The BIG-IP system supports multiple cipher suites when offloading SSL operations from a target server on the network. The BIG-IP system can support cipher suites that use these algorithms:
  • Rivest Shamir Adleman (RSA)
  • Elliptic Curve Digital Signature Algorithm (ECDSA)
  • Digital Signature Algorithm (DSA)
When you generate a certificate request or a self-signed certificate, you specify the type of private key, which determines the specific signing or encryption algorithm that is used to generate the private key.
On the BIG-IP system, limits on SSL transactions per second (TPS) with RSA cipher suites vary according to key size.

About RSA certificates

RSA
(Rivest Shamir Adleman) is the original encryption algorithm that is based on the concept of a public and a private key. When a public site attempts to communicate with a device such as the BIG-IP system, the device sends the site a public key that the site uses to encrypt data before sending that data back to the device. The device uses its private key associated with the public key to decrypt the data. Only the private key can be used to decrypt data encrypted with the public key.
The RSA encryption algorithm includes an authentication mechanism.
On the BIG-IP system, limits on SSL transactions per second (TPS) with RSA cipher suites vary according to key size.

About DSA certificates

DSA (Digital Signature Algorithm) uses a different algorithm for signing key exchange messages than that of RSA.
DSA
is paired with a key exchange method such as Diffie-Hellman or Elliptical Curve Diffie-Hellman to achieve a comparable level of security to RSA. Because DSA is generally endorsed by federal agencies, specifying a DSA key type makes it easier to comply with new government standards, such as those for specific key lengths.

About ECDSA certificates

When creating certificates on the BIG-IP system, you can create a certificate with a key type of ECDSA (Elliptic Curve Digital Signature Algorithm). An
ECDSA key
is based on Elliptic Curve Cryptography (ECC), and provides better security and performance with significantly shorter key lengths.
Encryption based on ECC is ideally suited for mobile devices that cannot store large keys.
For example, an RSA key size of 2048 bits is equivalent to an ECC key size of only 224 bits. As a result, less computing power is required, resulting in faster, more secure connections. The BIG-IP system supports the eilliptic curves prime256v1, secp384r1, and secp521r1.
The elliptic curve secp521r1 is not supported on the F5® 10350v-FIPS hardware platform.

About SSL certificate management

You can obtain a certificate for the BIG-IP system by using the BIG-IP Configuration utility to generate a certificate signing request (CSR) that can then be submitted to a third-party trusted certificate authority (CA). The CA then issues a signed certificate.
In addition to requesting CA-signed certificates, you can create self-signed certificates. You create self-signed certificates primarily for testing purposes within an organization.
When you install the BIG-IP software, the application includes a default self-signed certificate. The BIG-IP system also includes a default CA bundle certificate. This certificate bundle contains certificates from most of the well-known CAs.
To manage digital certificates for the BIG-IP system, you must have a role of Certificate Manager, Administrator, or Resource Administrator assigned to your BIG-IP user account.
See additional information regarding SM2 options later in this section for importing, managing, and exporting a certificate and key with SM2 license. The BIG-IP system added SM2, SM3, and SM4 Cryptographic Algorithm support for the Chinese market. The algorithms were independently developed by the China State Cryptography Administration, where SM2 is the public key algorithm, SM3 is the hash algorithm, and SM4 is the block cipher algorithm. SM2 is based on the Elliptic Curve Discrete Logarithm Problem (ECDLP).

Creating a self-signed certificate that contains an ECDSA key type

You can use this task to create a self-signed certificate with an ECDSA key type. The certificate is used to authenticate and secure either client-side or server-side HTTP traffic.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    .
    The Traffic Certificate Management screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a unique name for the SSL certificate.
  4. From the Issuer list, select
    Self.
  5. In the
    Common Name
    field, type a name.
    This is typically the name of a web site, such as
    www.siterequest.com
    .
  6. In the
    Division
    field, type your department name.
  7. In the
    Organization
    field, type your company name.
  8. In the
    Locality
    field, type your city name.
  9. In the or
    State or Province
    field, type your state or province name.
  10. From the
    Country
    list, select the name of your country.
  11. In the
    E-mail Address
    field, type your email address.
  12. In the
    Lifetime
    field, type a number of days, or retain the default,
    365
    .
  13. In the
    Subject Alternative Name
    field, type a name.
    This name is embedded in the certificate for X509 extension purposes.
    By assigning this name, you can protect multiple host names with a single SSL certificate.
  14. From the
    Key Type
    list, select
    ECDSA
    .
  15. From the
    Curve
    list, select an elliptic curve:
    prime256v1
    Creates a key that is 256 bits in length
    secp384r1
    Creates a key that is 384 bits in length
    secp521r1
    Creates a key that is 521 bits in length
    In general, longer keys can impact performance but are more secure. Shorter keys result in better performance but are less secure.
  16. Click
    Finished
    .
    The name of the self-signed certificate appears in the list of certificates on the system.

Requesting a CA-signed certificate that contains an ECDSA key type

You can generate a certificate that includes an Elliptic Curve Digital Signature Algorithm (ECDSA) key type, and then copy it or submit it to a trusted certificate authority for signature.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    .
    The Traffic Certificate Management screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a unique name for the SSL certificate.
  4. From the
    Issuer
    list, select
    Certificate Authority
    .
  5. In the
    Common Name
    field, type a name.
    This is typically the name of a web site, such as
    www.siterequest.com
    .
  6. In the
    Division
    field, type your department name.
  7. In the
    Organization
    field, type your company name.
  8. In the
    Locality
    field, type your city name.
  9. In the or
    State or Province
    field, type your state or province name.
  10. From the
    Country
    list, select the name of your country.
  11. In the
    E-mail Address
    field, type your email address.
  12. In the
    Lifetime
    field, type a number of days, or retain the default,
    365
    .
  13. In the
    Subject Alternative Name
    field, type a name.
    This name is embedded in the certificate for X509 extension purposes.
    By assigning this name, you can protect multiple host names with a single SSL certificate.
  14. In the
    Challenge Password
    field, type a password.
  15. In the
    Confirm Password
    field, re-type the password you typed in the
    Challenge Password
    field.
  16. From the
    Key Type
    list, select
    ECDSA
    .
  17. From the
    Curve
    list, select an elliptic curve:
    prime256v1
    Creates a key that is 256 bits in length
    secp384r1
    Creates a key that is 384 bits in length
    secp521r1
    Creates a key that is 521 bits in length
    In general, longer keys can impact performance but are more secure. Shorter keys result in better performance but are less secure.
  18. Do one of the following to download the request into a file on your system.
    • In the
      Request Text
      field, copy the certificate.
    • For
      Request File
      , click the button.
  19. Follow the instructions on the relevant certificate authority web site for either pasting the copied request or attaching the generated request file.
  20. Click
    Finished
    .
    The Certificate Signing Request screen displays.
The generated certificate is submitted to a trusted certificate authority for signature.

Creating a FIPS-type self-signed certificate

You can use this task to create a self-signed certificate to authenticate and secure either client-side or server-side HTTP traffic.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    .
    The Traffic Certificate Management screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a unique name for the SSL certificate.
  4. From the Issuer list, select
    Self.
  5. In the
    Common Name
    field, type a name.
    This is typically the name of a web site, such as
    www.siterequest.com
    .
  6. In the
    Division
    field, type your department name.
  7. In the
    Organization
    field, type your company name.
  8. In the
    Locality
    field, type your city name.
  9. In the or
    State or Province
    field, type your state or province name.
  10. From the
    Country
    list, select the name of your country.
  11. In the
    E-mail Address
    field, type your email address.
  12. In the
    Lifetime
    field, type a number of days, or retain the default,
    365
    .
  13. In the
    Subject Alternative Name
    field, type a name.
    This name is embedded in the certificate for X509 extension purposes.
    By assigning this name, you can protect multiple host names with a single SSL certificate.
  14. From the
    Security Type
    list, select
    FIPS
    .
  15. From the
    Key Type
    list, select
    RSA
    ,
    DSA
    , or
    ECDSA
    .
  16. If you selected
    ECDSA
    , then from the
    Curve
    list, select an elliptic curve.
    The elliptic curve secp521r1 is not supported on the F5® 10350v-FIPS hardware platform.
  17. Click
    Finished
    .
    The name of the self-signed certificate appears in the list of certificates on the system.

Requesting a FIPS-type CA-signed certificate

Use this task to create a request for a certificate with FIPS type security from a certificate authority.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    SSL Certificate List
    .
    This displays the list of certificates installed on the system.
  2. Click
    Create
    .
    The New SSL Certificate screen opens.
  3. In the
    Name
    field, type a unique name for the certificate.
  4. From the
    Issuer
    list, specify the type of certificate that you want to use.
    • To request a certificate from a CA, select
      Certificate Authority
      .
    • For a self-signed certificate, select
      Self
      .
  5. Configure the
    Common Name
    setting and any other settings as needed.
  6. From the
    Security Type
    list, select
    FIPS
    .
  7. From the
    Key Type
    list, select
    RSA
    ,
    DSA
    , or
    ECDSA
    .
  8. If you selected
    ECDSA
    , then from the
    Curve
    list, select an elliptic curve.
    The elliptic curve secp521r1 is not supported on the F5® 10350v-FIPS hardware platform.
  9. Click
    Finished
    .

Converting a key to FIPS format

You can use the BIG-IP Configuration utility to convert an existing key to a FIPS key.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    SSL Certificate List
  2. Click a certificate name.
    This displays the properties of that certificate.
  3. On the menu bar, click
    Key
    .
    This displays the type and size of the key associated with the certificate.
  4. Click
    Convert to FIPS
    to convert the key to a FIPS key.
    The key is converted and appears in the list as a FIPS key. After the key is converted, this process cannot be reversed.

About SSL file import

You can import several types of SSL files onto the BIG-IP system.

Importing a certificate signed by a certificate authority

Before performing this task, confirm that a digital certificate signed by a certificate authority (CA) is available.
You can install an SSL certificate signed by a CA by importing a certificate that already exists on the hard drive of the management workstation. You can import a private key, a certificate or certificate bundle, or an archive.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    .
    The Traffic Certificate Management screen opens.
  2. Click the
    Import
    button.
  3. From the
    Import Type
    list, select
    Certificate
    .
  4. For the
    Certificate Name
    setting:
    • If you are importing a new certificate, select
      Create New
      and type a unique name in the field.
    • If you are replacing an existing certificate, select
      Overwrite Existing
      and select a certificate name from the list.
  5. For the
    Certificate Source
    setting, do one of the following:
    • Select the
      Upload File
      option, and browse to the location of the certificate file.
    • Select the
      Paste Text
      option, and paste the certificate text copied from another source.
  6. Click
    Import
    .
After you perform this task, the SSL certificate that was signed by a CA is installed.

Importing an SSL key

You can use the BIG-IP Configuration utility to import an SSL key onto the BIG-IP system from another location.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    .
    The Traffic Certificate Management screen opens.
  2. Click the
    Import
    button.
  3. From the
    Import Type
    list, select
    Key
    .
  4. For the
    Key Name
    setting, do one of the following:
    • Select the
      Create New
      option, and type a unique name in the field.
    • Select the
      Overwrite Existing
      option, and select a certificate name from the list.
  5. For the
    Key Source
    setting, do one of the following:
    • Select the
      Upload File
      option, and browse to the location of the key file.
    • Select the
      Paste Text
      option, and paste the key text copied from another source.
  6. In the
    Password
    field, type the password associated with the import source.
  7. from the
    Security Type
    list, select a security type.
  8. Click
    Import
    .
After you perform this task, the BIG-IP system imports the specified key.

Importing a PKCS-formatted file

You can use the BIG-IP Configuration utility to import file onto the BIG-IP system that is in Public Key Cryptography Standards (PKCS) number 12 format.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    .
    The Traffic Certificate Management screen opens.
  2. Click the
    Import
    button.
  3. From the
    Import Type
    list, select
    PKCS 12 (IIS)
    .
  4. For the
    Certificate Name
    setting, type a certificate name.
  5. For the
    Certificate Source
    setting, click
    Browse
    and locate the source file.
  6. In the
    Password
    field, type the password associated with the import source.
  7. from the
    Security Type
    list, select a security type.
  8. Click
    Import
    .
After you perform this task, the BIG-IP system imports the specified PKCS 12-formatted file.

Importing a PKCS-formatted file with SM2 license

You can use the BIG-IP Configuration utility to import file onto the BIG-IP system that is in Public Key Cryptography Standards (PKCS) number 12 format with an SM2 license.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    .
    The Traffic Certificate Management screen opens.
  2. Click the
    Import
    button.
  3. From the
    Import Type
    list, select
    PKCS 12 (IIS)
    .
  4. For the
    Certificate and Key Name
    setting, select
    New
    and type a certificate name.
  5. For the
    Certificate and Key Source
    setting, click
    SM2
    . Click
    Choose File
    for both
    Signing
    and
    Encryption
    to select the associated source files.
  6. In the
    Password
    field, type the password associated with the import source.
  7. From the
    Key Security
    list, sselect a security type to specify the level of security to use when importing and storing a key. For example a Security Type of Password means that you specify a password to protect the imported key. The password must be provided when the key is used. The default is
    Normal
    .
    • Normal
      : Specifies that the key file is imported without password protection. In this case, the key resides in a standard form on the file system.
    • Password
      : Specifies that the key is protected by a passphrase and stored in encrypted form. When you select this option, you must also specify a passphrase in the
      Password
      text box.
  8. Click
    Import
    .
After you perform this task, the BIG-IP system imports the specified PKCS 12-formatted file with a SM2 license.
You are now ready to create a SM2 cihper rule and cipher group to use when creating a customer Client SSL profile that supports SM2. See the
Create a custom Client SSL profile that supports SM2
section in this guide for detailed steps.

Importing an archive file

You can use the BIG-IP Configuration utility to upload an archive file onto the BIG-IP system.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    .
    The Traffic Certificate Management screen opens.
  2. Click the
    Import
    button.
  3. For the
    Upload Archive File
    setting, click
    Browse
    and select the file to be imported.
  4. Click the
    Load
    button.
After you perform this task, the BIG-IP system uploads an archive file onto the BIG-IP system.

Exporting an SSL certificate

You perform this task to export an SSL certificate to another device.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    .
    The Traffic Certificate Management screen opens.
  2. Click the name of the certificate you want to export.
    The General Properties screen displays.
  3. Click
    Export
    .
    The Certificate Export screen displays the contents of the certificate in the
    Certificate Text
    box.
  4. To obtain the certificate, do one of the following:
    • Copy the text from the
      Certificate Text
      field, and paste it as needed into an interface on another system.
    • At the
      Certificate File
      option, click
      Download filename
      where the filename is the name of the certificate file, such as
      mycert.crt
      .

Exporting an SSL certificate to another device with an SM2 license

You perform this task to export an SSL certificate to another device with an SM2 license.
  1. On the Main tab, click
    System
    Certificate Managment
    Traffic Certificate Managment
    .
    The Traffic Certificate Management screen opens.
  2. Click the name of the SM2 certificate you want to export.
    The General Properties screen displays.
  3. Click
    Export
    .
    The Certificate Export screen displays the contents of the certificate in the
    Certificate Text
    box.
  4. To obtain the certificate, do one of the following:
    1. Copy the text from the
      Certificate Text
      field, and paste it as needed into an interface on another system with an SM2 license.
    2. At the
      Certificate File
      option, click
      Download Filename
      where the filename of the certificate file, such as mycert.crt.
After you perform this task, the BIG-IP system uploads an archive file onto the BIG-IP system.

Viewing a list of certificates on the system

You can perform this task to view a list of existing digital certificates on the BIG-IP system.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    .
    The Traffic Certificate Management screen opens.
  2. In the Name column, view the list of certificates on the system.

Viewing a list of SM2 certificates on the system

You can perform this task to view a list of existing digital certificates on the BIG-IP system.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    .
    The Traffic Certificate Management screen opens.
  2. In the
    Name
    column, select your SM2 certificate and key to view the details on the system. The
    Contents
    column will also indicate the item is a
    SM2 Certificate & Key
    .
You can now view your SM2 certificate and key details.

Digital SSL certificate properties

From the BIG-IP Configuration utility, you can see the properties of the SSL digital certificates you have installed on the BIG-IP system.
Property
Description
Certificate
The name of the certificate.
Content
The type of certificate content, for example, Certificate Bundle or Certificate and Key.
Common name
The common name (CN) for the certificate. The common name embedded in the certificate is used for name-based authentication. The default common name for a self-signed certificate is
localhost.localdomain
.
Expiration date
The date that the certificate expires. If the certificate is a bundle, this information shows the range of expiration dates that apply to certificates in the bundle.
Organization
The organization name for the certificate. The organization name embedded in the certificate is used for name-based authentication. The default organization for a self-signed certificate is
MyCompany
.

About certificate bundle management

You can use the bundle manager to automatically update and install certificate authority (CA) bundles on the system from two sources: local certificate file objects and remote URL resources. By using the
Include Bundles
and
Include URLs
options, you can combine CA certificates from various sources to create a new, customized CA bundle. You can also use the
Exclude Bundles
and
Exclude URLs
options to remove certain CA certificates from the resulting CA bundle file. The newly created or modified CA bundle file is installed as a certificate-file-object on the system and used as a trusted CA bundle by other modules.
In addition, you can set the update frequency of the CA bundle, or use a web proxy for downloading the remote URL resources. By default, a newly created CA bundle manager does not create or update the managed CA bundle object. Exceptions are if the CA bundle manager has a positive update interval or is explicitly told to do so since you have set the
Update Now
option.

Creating a new certificate bundle

You can create a new certificate authority (CA) bundle, and specify bundles and URLs to include or exclude. You can also set the update frequency of the CA bundle, or use a web proxy for downloading the remote URL resources.
The resulting bundle file will be named the same as the bundle manager object.
By default, a newly created CA bundle manager does not create or update the managed CA bundle object unless the CA bundle manager has a positive
Update Interval
or is explicitly told to do so by the
Update Now
option.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    Bundle Manager List
    .
    The Bundle Manager List screen opens.
  2. Click
    Create
    .
  3. From the
    Include Bundles
    Available
    list, select the certificate file objects to include for generating a new CA bundle.
  4. In the
    Include URLs
    field, type the URL where remote CA bundles reside, and click
    Add
    to include that for generating the new CA bundle.
    Only HTTPS URLs are allowed in the
    Include URLs
    fields.
  5. From the
    Exclude Bundles
    Available
    list, select the certificate file objects to exclude from the new CA bundle.
  6. In the
    Exclude URLs
    field, type the URL where remote CA bundles reside, and click
    Add
    to exclude it from the new CA bundle.
    Only HTTPS URLs are allowed in the
    Exclude URLs
    fields.
  7. In the
    Update Interval
    field, type the number of days at which to refresh the remote CA bundles at the URLs.
    The default value is set to
    0
    and indicates that the generated CA bundle is not dynamically updated.
  8. If you want the CA bundle manager to immediately refresh its generated CA bundle from all its sources and recalculate its certificate contents, select the
    Update Now
    check box.
    The default value is disabled.
  9. From the
    Trusted CA-Bundle
    list, select the CA bundle that this CA bundle manager will use to download remote CA bundles in the include and exclude URLs.
  10. In the
    Proxy Server
    field, type the host name or IP address of the proxy server for accessing remote URL resources.
    Only HTTP proxy is supported. You may optionally prepend
    http://
    to the host name or IP address.
  11. In the
    Proxy Server Port
    field, type the port number of the proxy server for accessing remote URL resources.
    The default is
    3128
    .
  12. In the
    Download Timeout
    field, specify the timeout period, in seconds, to download the remote CA bundles from the URLs.
    The value range is from 1 to 3600 (1 hour) seconds.
    The default value is
    8
    seconds.
  13. Click
    Finished
    .
The system installs a generated CA bundle file as a certificate-file-object on the system to be used as a trusted CA bundle by other modules.

Modifying an existing certificate bundle

You can use the bundle manager to modify an existing certificate authority (CA) bundle.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    Bundle Manager List
    .
    The Bundle Manager List screen opens listing all existing CA bundles and their name, update interval, proxy server, trusted CA-bundle, and partition/path details.
  2. From the
    Bundle Manager List
    , click the name of the CA bundle that you want to modify.
    The Properties screen opens showing the selected CA bundle general properties and configuration details
  3. Select the
    Update Now
    check box if you want the bundle to be updated.
  4. Modify any of the configuration details needed, and click
    Update
    .
The system updates the selected CA bundle’s configuration with the modified configuration details.

Deleting an existing certificate bundle

You can use the bundle manager to delete an existing certificate authority (CA) bundle.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    Bundle Manager List
    .
    The Bundle Manager List screen opens listing all existing CA bundles and their name, update interval, proxy server, trusted CA-bundle, and partition/path details.
  2. Select the check box next to the name of the CA bundle that you want to delete.
  3. Click
    Delete
    .
    You can also delete a CA bundle on the Properties screen by clicking
    Delete
    at the bottom of the screen.
    Deleting the CA bundle manager does not delete the managed CA bundle file object. You should delete the CA bundle file object separately or you might receive an error message indicating that your managed CA bundle file object is referenced by a CA bundle manager.
This deletes the selected CA bundle from the system.

About certificate order management

The BIG-IP system supports a unified interface for F5 customers to manage Certificate Authority (CA) certificate operations within the BIG-IP. Currently, F5 supports the following Certificate Authorities for which the BIG-IP automatically generates certificates using their APIs:
  • Comodo (now known as Sectigo)
  • Symantec (purchased by Digicert)
  • GoDaddy
  • DigiCert
You can generate, renew, and revoke certificates as necessary after setting up general properties, authentication details, certificate authority request order information, and internal proxy connection details.
A CA request is made up of multiple pieces of information from both the Certificate Order Manager and the Certificate Signing Request (CSR). This information is combined in the API request sent to the vendor. For example, the Certificate Order Manager object maintains information about contacting the CA, including authentication information and URI. It also maintains information about the type of certificate product being purchased from the vendor. The CSR, created during the certificate key creation in TMOS, maintains information about the specific host, or hosts, that the certificate is intended to cover (such as their common name, email address, and other information). With this information combined in the API request and sent to the vendor, it allows you to configure one certificate order for multiple certificates that use common certificate types and durations.
Make sure to read the Certificate Authority documentation you select so to better understand and note specific CA requirements, APIs, and other information that you will need so to complete the new certificate order information fields. Each Certificate Authority requires different information to generate a CA order. You will need to map the external CA information in their documentation to the fields in this task.

Generating a new certificate order (Comodo)

  • Before setting up the CA order, you must first do one of the following:
    • Setup a DNS responder in the system. Note: This does not apply to the DNS setup done during the system setup wizard.
    • Setup and configure a proxy server pool in your system's environment.
  • Make sure you have an account with the CA that is being setup for API access.
To generate a new Comodo certificate order, use the following steps.
Comodo is now known as Sectigo. For Comodo certificate manager tool and account information, see the official Sectigo web site. Make sure to read the Sectigo documentation and refer to it as necessary to understand their requirements, APIs, and other information that will help you complete the new certificate order information fields. In this documentation, and in the BIG-IP UI, F5 refers to Comodo as the CA name.
Each CA requires different information to generate a CA order. Depending on the CA you select, certificate order fields will vary and are tailored to be vendor specific. The certificate order manager information will be paired with the CSR information, which is created when configuring the certificate key in TMOS (this maintains information about the specific host or hosts that the certificate is intended to cover, such as their common name, email address, etc.). These are combined in the API request that is sent to the vendor.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    Certificate Order Manager List
    . The Certificate Order Manager List screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a unique name for the certificate order manager. If you create a group of keys, this name will represent them.
  4. From the
    Certificate Authority
    list, select
    Comodo
    .
    Comodo is the default certificate authority selected.
  5. The
    Auto Renew
    field is selected by default.
  6. In the
    Login Name
    field, type a unique login name. Use the same login name you use with your Comodo CA account.
  7. In the
    Login Password
    field, type a password. Use the same login password you use with your Comodo CA account.
    For Comodo, F5 recommends you use a dedicated user for API access with limited rights to specific items rather than the overall administrator object used at log in.
  8. In the
    Validity Days
    field, type the number of days the certificate authority request remains valid.
    Check with your specific CA account to enter a valid number of days. Most CAs allow you to select in 365 day increments.
    For Comodo, this number must later match one of the options configured in the CCM for the certificate type.
  9. In the
    Base URL
    field, type your CA account’s base URL if it is different from the default base URL provided by the CA.
  10. In the
    Additional HTTP Headers
    field, type the CA’s specific key value pair (separated by a colon). You can add additional key value pairs by separating them with a semicolon. In this instance, the key is the unique customer URI and the value is specific to the user. For example, you must have the following string:
    customerURI:<customer uri>
    . The
    <customer uri>
    is replaced with the actual customer URI.
    Check with your specific CA account documentation to determine how to use their API information and determine required additional HTTP header information.
    This field is required for the Comodo CA order. When you create an account with Comodo, the customer URI is unique to Comodo CA and is provided for customer use. The Comodo customer URI is found by looking at the URI used to access the Comodo certificate manager. For example, if the URI for Comodo is
    https://cert-manager.com/customer/my-customer-uri/locale=en#0
    , then the customer URI is between
    customer/
    and before
    /locale
    and is, in this example,
    my-customer-uri
    .
  11. From the
    CA Certificate
    list, select the trusted CA certificate/certificate bundle to authenticate the TLS connection with the CA server. The default CA bundle is
    ca-bundle
    .
  12. In the
    Order Information
    fields, fill in the information required by your selected CA.
    Each CA will require different order information and will display different required fields. Check your CA’s official documentation to provide required values.
    The options in the
    Order Information
    field are based on the CA you chose in the General Properties and are required to successfully generate a new certificate order. As you fill in the name
    Values
    , the text field at the bottom of the
    Order Information
    section will automatically populate with your CA configuration.
    1. Select the
      Edit as text box
      if you would like to alternatively type, or copy and paste, your existing CA configuration information directly into the field provided at the bottom of the
      Order Information
      section. If you add the CA configuration information in this manner, the required fields in
      Order Information
      will be automatically populated with the values you input for each required
      Name
      field.
      For Comodo, after entering the
      OrgID
      , enter
      -1
      in the
      Server Type
      field to indicate that the certificate is for the server type
      other
      .
    2. Use your CA account documentation to complete the required configuration fields provided.
    3. Click
      Add
      to add additional
      Name
      and
      Value
      fields from the list. This list is of names you can add are specific to the CA account you have chosen.
      For Comodo CA, you can also click Add next to the Custom Fields name and type a custom Name not available in the list.
    4. Click
      Delete
      after selecting to remove any additional
      Name
      and
      Value
      fields you have added.
      You may not delete any CA API information required by your CA.
    As you enter values in this section and the text field auto fills with your configuration details, you can see the original name of the keys in the CA API.
    Mapping of required F5 names to the original name of the keys in the Comodo CA API
    F5 Names in Order Information
    Vendor Keys in the CA API
    Org ID
    orgId
    Server Type
    serverType
    F5 recommends that you verify the order information with the vendor before using in production.
  13. In the
    Internal Proxy
    fields, do the following to setup an internal proxy to allow outside communications:
    1. Select
      New Internal Proxy
      or
      Internal Proxy List
      .
      You can also manage existing internal proxies, or create new internal proxies, by selecting
      System
      Services
      Internal Proxies
      and either select an existing internal proxy name to edit or click
      Create
      to create a new one.
      • New Internal Proxy
        : If you select to create a new internal proxy, you must type a name, specify if you are using a proxy server (and provide
        Proxy Server Pool
        details), specify the
        DNS Resolver
        and
        Route Domain
        (optional) information.
      • Internal Proxy List
        : If you select to use an existing internal proxy list, select it from the available items in the list.
  14. Click
    Finished
    .
You have now successfully generated a new Comodo certificate order manager object.
You are now ready to create:
  • a new SSL certificate
  • check certificate request status
  • renew a certificate
  • revoke a certificate.

Generating a new certificate order (Symantec)

  • Before setting up the CA order, you must first do one of the following:
    • Setup a DNS responder in the system. Note: This does not apply to the DNS setup done during the system setup wizard.
    • Setup and configure a proxy server pool in your system's environment.
  • Make sure you have an account with the CA that is being setup for API access.
To generate a new Symantec certificate order, use the following steps.
Symantec is now known as Digicert (after Digicert purchased Symantec). In this documentation, and in the BIG-IP UI, F5 refers to Symantec as the CA name. For Symantec certificate manager tool and account information, see the official Symantec (or Digicert as needed) web site.
Each CA requires different information to generate a CA order. Depending on the CA you select, certificate order fields will vary and are tailored to be vendor specific. The certificate order manager information will be paired with the CSR information, which is created when configuring the certificate key in TMOS (this maintains information about the specific host or hosts that the certificate is intended to cover, such as their common name, email address, etc.). These are combined in the API request that is sent to the vendor.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    Certificate Order Manager List
    . The Certificate Order Manager List screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a unique name for the certificate order manager. If you create a group of keys, this name will represent them.
  4. From the
    Certificate Authority
    list, select
    Symantec
    .
    Comodo is the default certificate authority selected.
  5. The
    Auto Renew
    field is selected by default.
  6. From the
    Client Certificate
    list, select the required client certificate.
    For Symantec, the user must be authorized for the VICE2 web services application role (
    W
    in the Roles list). This can be checked by logging into your Symantec account.
  7. From the
    Client Key
    list, select the required client key.
  8. In the
    Key Passphrase
    field, type the CA’s key passphrase.
  9. In the
    Validity Days
    field, type the number of days the certificate authority request remains valid.
    Check with your specific CA account to enter a valid number of days. Most CAs allow you to select in 365 day increments.
  10. In the
    Base URL
    field, type your CA account’s base URL if it is different from the default base URL provided by the CA.
  11. Leave the
    Additional HTTP Headers
    field blank. Symantec does not require this information.
  12. From the
    CA Certificate
    list, select the trusted CA certificate/certificate bundle to authenticate the TLS connection with the CA server. The default CA bundle is
    ca-bundle
    .
  13. In the
    Order Information
    fields, fill in the information required by your selected CA.
    Each CA will require different order information and will display different required fields. Check your CA’s official documentation to provide required values.
    The options in the
    Order Information
    field are based on the CA you chose in the General Properties and are required to successfully generate a new certificate order. As you fill in the name
    Values
    , the text field at the bottom of the
    Order Information
    section will automatically populate with your CA configuration.
    1. Select the
      Edit as text box
      if you would like to alternatively type, or copy and paste, your existing CA configuration information directly into the field provided at the bottom of the
      Order Information
      section. If you add the CA configuration information in this manner, the required fields in
      Order Information
      will be automatically populated with the values you input for each required
      Name
      field.
    2. Use your CA account documentation to complete the required configuration fields provided.
    3. Click
      Add
      to add additional
      Name
      and
      Value
      fields from the list. This list is of names you can add are specific to the CA account you have chosen.
    4. Click
      Delete
      after selecting to remove any additional
      Name
      and
      Value
      fields you have added.
      You may not delete any CA API information required by your CA.
    As you enter values in this section and the text field auto fills with your configuration details, you can see the original name of the value
    Names
    .
    Mapping required F5 names to the original name of the keys in the Symantec CA API
    F5 Names in Order Information
    Vendor Keys in the CA API
    First Name
    firstName
    Last Name
    lastName
    Email
    email
    Product Type
    certProductType
    Server Type
    serverType
    F5 recommends that you verify the order information with the vendor before using in production.
  14. In the
    Internal Proxy
    fields, do the following to setup an internal proxy to allow outside communications:
    1. Select
      New Internal Proxy
      or
      Internal Proxy List
      .
      You can also manage existing internal proxies, or create new internal proxies, by selecting
      System
      Services
      Internal Proxies
      and either select an existing internal proxy name to edit or click
      Create
      to create a new one.
      • New Internal Proxy
        : If you select to create a new internal proxy, you must type a name, specify if you are using a proxy server (and provide
        Proxy Server Pool
        details), specify the
        DNS Resolver
        and
        Route Domain
        (optional) information.
      • Internal Proxy List
        : If you select to use an existing internal proxy list, select it from the available items in the list.
  15. Click
    Finished
    .
You have now successfully generated a new Symantec certificate order manager object.
You are now ready to create:
  • a new SSL certificate
  • check certificate request status
  • renew a certificate
  • revoke a certificate.

Generating a new certificate order (GoDaddy/DigiCert)

  • Before setting up the CA order, you must first do one of the following:
    • Setup a DNS responder in the system. Note: This does not apply to the DNS setup done during the system setup wizard.
    • Setup and configure a proxy server pool in your system's environment.
  • Make sure you have an account with the CA that is being setup for API access.
The following products that are currently supported under 'type_hint' for DigiCert:
  • ssl_plus
  • ssl_multi_domain
  • ssl_wildcard
  • ssl_ev_plus
  • ssl_ev_multi_domain
To generate a new Godaddy/DigiCert certificate order, use the following steps.
Each CA requires different information to generate a CA order. Depending on the CA you select, certificate order fields will vary and are tailored to be vendor specific. The certificate order manager information will be paired with the CSR information, which is created when configuring the certificate key in TMOS (this maintains information about the specific host or hosts that the certificate is intended to cover, such as their common name, email address, etc.). These are combined in the API request that is sent to the vendor.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    Certificate Order Manager List
    . The Certificate Order Manager List screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a unique name for the certificate order manager. If you create a group of keys, this name will represent them.
  4. From the
    Certificate Authority
    list, select
    GoDaddy
    or
    DigiCert
    .
    Comodo is the default certificate authority selected.
  5. The
    Auto Renew
    field is selected by default.
  6. In the
    Security Token
    field, specify the GoDaddy or DigiCert CA account access security token.
  7. In the
    Validity Days
    field, type the number of days the certificate authority request remains valid.
    Check with your specific CA account to enter a valid number of days. Most CAs allow you to select in 365 day increments.
  8. In the
    Base URL
    field, type your CA account’s base URL if it is different from the default base URL provided by the CA.
  9. Leave the
    Additional HTTP Headers
    field blank.
  10. From the
    CA Certificate
    list, select the trusted CA certificate/certificate bundle to authenticate the TLS connection with the CA server. The default CA bundle is
    ca-bundle
    .
  11. In the
    Order Information
    fields, fill in the information required by your selected CA.
    Each CA will require different order information and will display different required fields. Check your CA’s official documentation to provide required values.
    The options in the
    Order Information
    field are based on the CA you chose in the General Properties and are required to successfully generate a new certificate order. As you fill in the name
    Values
    , the text field at the bottom of the
    Order Information
    section will automatically populate with your CA configuration.
    1. Select the
      Edit as text box
      if you would like to alternatively type, or copy and paste, your existing CA configuration information directly into the field provided at the bottom of the
      Order Information
      section. If you add the CA configuration information in this manner, the required fields in
      Order Information
      will be automatically populated with the values you input for each required
      Name
      field.
    2. Use your CA account documentation to complete the required configuration fields provided.
    3. Click
      Add
      to add additional
      Name
      and
      Value
      fields from the list. This list is of names you can add are specific to the CA account you have chosen.
    4. Click
      Delete
      after selecting to remove any additional
      Name
      and
      Value
      fields you have added.
      You may not delete any CA API information required by your CA.
  12. In the
    Internal Proxy
    fields, do the following to setup an internal proxy to allow outside communications:
    1. Select
      New Internal Proxy
      or
      Internal Proxy List
      .
      You can also manage existing internal proxies, or create new internal proxies, by selecting
      System
      Services
      Internal Proxies
      and either select an existing internal proxy name to edit or click
      Create
      to create a new one.
      • New Internal Proxy
        : If you select to create a new internal proxy, you must type a name, specify if you are using a proxy server (and provide
        Proxy Server Pool
        details), specify the
        DNS Resolver
        and
        Route Domain
        (optional) information.
      • Internal Proxy List
        : If you select to use an existing internal proxy list, select it from the available items in the list.
  13. Click
    Finished
    .
You have now successfully generated a new Godaddy/DigiCert certificate order manager object.
You are now ready to create:
  • a new SSL certificate
  • check certificate request status
  • renew a certificate
  • revoke a certificate.

Creating a new SSL certificate and key

After creating a new certificate order you will need to request a new certificate from the CA. In order to create a certificate, you will generate a key and Certificate Signing Request (CSR), followed by uploading the CSR to the CA. The CA then generates that will be downloaded and imported into the BIG-IP.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    SSL Certificate List
    . The SSL Certificate List screen opens.
  2. Click
    Create
    . The New SSL Certificate screen opens.
  3. In the
    Name
    field, type a unique name for the new SSL certificate.
  4. From the
    Issuer
    list, select
    Certificate Authority
    to create a request for a certificate/key pair to be sent to a certificate authority. When you send a request to a certificate authority, the certificate authority returns a signed certificate which you then install on the system.
  5. In the
    Common Name
    field, type the common name attribute for the certificate. The common name is embedded in the certificate for name-based authentication purposes.
  6. Configure any necessary fields in the
    Certificate Signing Request Attributes
    section.
  7. From the
    Certificate Order Manager
    list, select the certificate order manager created in the Certificate Order Manager List screen.
  8. From the
    Order Type
    list, select
    New
    .
  9. In the
    Order Passphrase
    field, type a password that contains at least one special character, one numeric digit, one lowercase letter, and one uppercase letter.
    This is only required for Symantec.
  10. Click
    Finished
    . The Certificate Signing Request screen opens.
  11. Review any necessary details and click
    Finished
    .
  12. Select the
    Key
    tab. The CA’s Key Properties and Certificate Order Properties screen opens.
  13. In the
    Certificate Order
    field,
    Order Status
    will first show
    In Progress
    , followed by a status of
    New Oder Pending
    , and finishing with
    New Order Approved
    .
    Click
    Refresh
    to update the UI as necessary.
  14. Click
    Download Certificate(s) Now
    to manually check for the status of the order and download the certificate if it has been approved. Click
    Refresh
    for the page to be updated with the result. The
    Order Status
    field now shows
    New Order Approved
    .
  15. Select the
    Certificate
    tab. Note that the certificate has now been installed (view details shared in the
    Certificate Properties
    section.
Your new CA certificate has been successfully installed.

Renewing an existing SSL certificate and key

To renew an existing SSL certificate and key, use the following steps.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    SSL Certificate List
    . The SSL Certificate List screen opens.
  2. From the
    Name
    column, select the existing CA certificate and key you want to renew from the list. The Certificate screen opens.
  3. Select the
    Key
    tab. The Key screen opens showing the Key Properties and the Certificate Order Properties.
  4. In the
    Certificate Order
    section, do the following if you selected a Comodo certificate and key from the list:
    1. From the
      Type
      list, select
      Renew
      .
    2. In the
      ID
      field, type the order ID.
      The order ID is provided by the CA and the BIG-IP stores it in the order ID field. The order ID is required for a certificate to be renewed. If the first certificate was not originally ordered from the BIG-IP, you must manually enter the order ID before renewing a certificate.
    3. Click
      Update
      . The
      Order Status
      field will show
      Revoke Order Approved
      . If any necessary information is not filled in, the
      Order Status
      will change to
      New Order Rejected
      .
  5. In the
    Certificate Order
    section, do the following if you selected a Symantec certificate and key from the list:
    1. From the
      Type
      list, select
      Renew
      .
    2. In the
      Passphrase
      field, you must type the required challenge passphrase for your certificate order to be approved.
    3. In the
      ID
      field, make sure the order ID is present.
      The order ID is provided by the CA and the BIG-IP stores it in the order ID field. The order ID is required for a certificate to be renewed. If the first certificate was not originally ordered from the BIG-IP, you must manually enter the order ID before renewing a certificate.
    4. Click
      Update
      . The
      Order Status
      field will change to
      Revoke Order Approved
      .
    From the
    Type
    list, you can also select
    New
    to create a new certificate order to the CA.
You have successfully renewed your existing SSL certificate and key.

Revoking an existing SSL certificate and key

To revoke an existing SSL certificate and key, use the following steps. Revoking an existing certificate and key can be necessary if it has been compromised, its affiliation has changed, and other reasons.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    SSL Certificate List
    . The SSL Certificate List screen opens.
  2. From the
    Name
    column, select the existing CA certificate and key you want to revoke from the list. The Certificate screen opens.
  3. Select the
    Key
    tab. The Key screen opens showing the Key Properties and the Certificate Order Properties.
  4. In the
    Certificate Order
    section, do the following if you selected a Comodo certificate and key from the list:
    1. From the
      Type
      list, select
      Revoke
      .
    2. From the
      Revoke Reason
      list, select the reason you are revoking the existing SSL certificate and key.
    3. In the
      ID
      field, type the order ID.
      The order ID is provided by the CA and the BIG-IP stores it in the order ID field. The order ID is required for a certificate to be revoked. If the first certificate was not originally ordered from the BIG-IP, you must manually enter the order ID before revoking a certificate.
    4. Click
      Update
      . The
      Order Status
      field will change to
      Revoke Order Approved
      . If any necessary information is not filled in, the
      Order Status
      will change to
      New Order Rejected
      .
  5. In the
    Certificate Order
    section, do the following if you selected a Symantec certificate and key from the list:
    1. From the
      Type
      list, select
      Revoke
      .
    2. In the
      Passphrase
      field, you must type the required challenge passphrase for your certificate order revoke request to be approved.
    3. In the
      ID
      field, make sure the order ID is present.
      The order ID is provided by the CA and the BIG-IP stores it in the order ID field. The order ID is required for a certificate to be revoked. If the first certificate was not originally ordered from the BIG-IP, you must manually enter the order ID before revoking a certificate.
    4. Click
      Update
      . The
      Order Status
      field will change to
      Revoke Order Approved
      .
    From the
    Type
    list, you can also select
    Cancel
    to cancel the previous certificate order to the CA. However, if the order was already sent to the server, the CA will still issue a certificate and cannot be cancelled.
You have successfully revoked your existing SSL certificate and key.

Modifying an existing certificate order manager

To modify an existing certificate order manager, use the following steps:
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    Certificate Order Manager List
    . The Certificate Order Manager List screen opens.
  2. Click the
    Name
    of the certificate you want to modify.
  3. Modify necessary fields and click
    Update
    .
You have now successfully modified an existing certificate order.

Deleting an existing certificate order manager

To delete an existing certificate order manager, use the following steps:
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    Certificate Order Manager List
    . The Certificate Order Manager List screen opens.
  2. Select the check box next to the
    Name
    of the certificate you want to delete.
  3. Click
    Delete
    .
You have now successfully deleted an existing certificate order.