Manual Chapter : SSL Certificate Management

Applies To:

Show Versions Show Versions

BIG-IP DNS

  • 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP Analytics

  • 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP AFM

  • 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP PEM

  • 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP ASM

  • 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP AAM

  • 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP Link Controller

  • 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP APM

  • 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP LTM

  • 14.1.2, 14.1.0, 14.0.1, 14.0.0
Manual Chapter

SSL Certificate Management

Supported certificate/key types

The BIG-IP® system supports multiple cipher suites when offloading SSL operations from a target server on the network. The BIG-IP system can support cipher suites that use these algorithms:

  • Rivest Shamir Adleman (RSA)
  • Elliptic Curve Digital Signature Algorithm (ECDSA)
  • Digital Signature Algorithm (DSA)

When you generate a certificate request or a self-signed certificate, you specify the type of private key, which determines the specific signing or encryption algorithm that is used to generate the private key.

Note: On the BIG-IP system, limits on SSL transactions per second (TPS) with RSA cipher suites vary according to key size.

About RSA certificates

RSA (Rivest Shamir Adleman) is the original encryption algorithm that is based on the concept of a public and a private key. When a public site attempts to communicate with a device such as the BIG-IP® system, the device sends the site a public key that the site uses to encrypt data before sending that data back to the device. The device uses its private key associated with the public key to decrypt the data. Only the private key can be used to decrypt data encrypted with the public key.

The RSA encryption algorithm includes an authentication mechanism.

Note: On the BIG-IP system, limits on SSL transactions per second (TPS) with RSA cipher suites vary according to key size.

About DSA certificates

DSA (Digital Signature Algorithm) uses a different algorithm for signing key exchange messages than that of RSA. DSA is paired with a key exchange method such as Diffie-Hellman or Elliptical Curve Diffie-Hellman to achieve a comparable level of security to RSA. Because DSA is generally endorsed by federal agencies, specifying a DSA key type makes it easier to comply with new government standards, such as those for specific key lengths.

About ECDSA certificates

When creating certificates on the BIG-IP system, you can create a certificate with a key type of ECDSA (Elliptic Curve Digital Signature Algorithm). An ECDSA key is based on Elliptic Curve Cryptography (ECC), and provides better security and performance with significantly shorter key lengths.

Encryption based on ECC is ideally suited for mobile devices that cannot store large keys.

For example, an RSA key size of 2048 bits is equivalent to an ECC key size of only 224 bits. As a result, less computing power is required, resulting in faster, more secure connections. The BIG-IP system supports the eilliptic curves prime256v1, secp384r1, and secp521r1.

Note: The elliptic curve secp521r1 is not supported on the F5® 10350v-FIPS hardware platform.

About SSL certificate management

You can obtain a certificate for the BIG-IP system by using the BIG-IP® Configuration utility to generate a certificate signing request (CSR) that can then be submitted to a third-party trusted certificate authority (CA). The CA then issues a signed certificate.

In addition to requesting CA-signed certificates, you can create self-signed certificates. You create self-signed certificates primarily for testing purposes within an organization.

When you install the BIG-IP software, the application includes a default self-signed certificate. The BIG-IP system also includes a default CA bundle certificate. This certificate bundle contains certificates from most of the well-known CAs.

Note: To manage digital certificates for the BIG-IP system, you must have a role of Certificate Manager, Administrator, or Resource Administrator assigned to your BIG-IP user account.

Creating a self-signed certificate that contains an ECDSA key type

You can use this task to create a self-signed certificate with an ECDSA key type. The certificate is used to authenticate and secure either client-side or server-side HTTP traffic.

  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management .
    The Traffic Certificate Management screen opens.
  2. Click Create.
  3. In the Name field, type a unique name for the SSL certificate.
  4. From the Issuer list, select Self.
  5. In the Common Name field, type a name.
    This is typically the name of a web site, such as www.siterequest.com.
  6. In the Division field, type your department name.
  7. In the Organization field, type your company name.
  8. In the Locality field, type your city name.
  9. In the or State or Province field, type your state or province name.
  10. From the Country list, select the name of your country.
  11. In the E-mail Address field, type your email address.
  12. In the Lifetime field, type a number of days, or retain the default, 365.
  13. In the Subject Alternative Name field, type a name.
    This name is embedded in the certificate for X509 extension purposes.
    By assigning this name, you can protect multiple host names with a single SSL certificate.
  14. From the Key Type list, select ECDSA.
  15. From the Curve list, select an elliptic curve:
    Option Description
    prime256v1 Creates a key that is 256 bits in length
    secp384r1 Creates a key that is 384 bits in length
    secp521r1 Creates a key that is 521 bits in length
    Note: In general, longer keys can impact performance but are more secure. Shorter keys result in better performance but are less secure.
  16. Click Finished.
    The name of the self-signed certificate appears in the list of certificates on the system.

Requesting a CA-signed certificate that contains an ECDSA key type

You can generate a certificate that includes an Elliptic Curve Digital Signature Algorithm (ECDSA) key type, and then copy it or submit it to a trusted certificate authority for signature.
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management .
    The Traffic Certificate Management screen opens.
  2. Click Create.
  3. In the Name field, type a unique name for the SSL certificate.
  4. From the Issuer list, select Certificate Authority.
  5. In the Common Name field, type a name.
    This is typically the name of a web site, such as www.siterequest.com.
  6. In the Division field, type your department name.
  7. In the Organization field, type your company name.
  8. In the Locality field, type your city name.
  9. In the or State or Province field, type your state or province name.
  10. From the Country list, select the name of your country.
  11. In the E-mail Address field, type your email address.
  12. In the Lifetime field, type a number of days, or retain the default, 365.
  13. In the Subject Alternative Name field, type a name.
    This name is embedded in the certificate for X509 extension purposes.
    By assigning this name, you can protect multiple host names with a single SSL certificate.
  14. In the Challenge Password field, type a password.
  15. In the Confirm Password field, re-type the password you typed in the Challenge Password field.
  16. From the Key Type list, select ECDSA.
  17. From the Curve list, select an elliptic curve:
    Option Description
    prime256v1 Creates a key that is 256 bits in length
    secp384r1 Creates a key that is 384 bits in length
    secp521r1 Creates a key that is 521 bits in length
    Note: In general, longer keys can impact performance but are more secure. Shorter keys result in better performance but are less secure.
  18. Do one of the following to download the request into a file on your system.
    • In the Request Text field, copy the certificate.
    • For Request File, click the button.
  19. Follow the instructions on the relevant certificate authority web site for either pasting the copied request or attaching the generated request file.
  20. Click Finished.
    The Certificate Signing Request screen displays.
The generated certificate is submitted to a trusted certificate authority for signature.

Creating a FIPS-type self-signed certificate

You can use this task to create a self-signed certificate to authenticate and secure either client-side or server-side HTTP traffic.

  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management .
    The Traffic Certificate Management screen opens.
  2. Click Create.
  3. In the Name field, type a unique name for the SSL certificate.
  4. From the Issuer list, select Self.
  5. In the Common Name field, type a name.
    This is typically the name of a web site, such as www.siterequest.com.
  6. In the Division field, type your department name.
  7. In the Organization field, type your company name.
  8. In the Locality field, type your city name.
  9. In the or State or Province field, type your state or province name.
  10. From the Country list, select the name of your country.
  11. In the E-mail Address field, type your email address.
  12. In the Lifetime field, type a number of days, or retain the default, 365.
  13. In the Subject Alternative Name field, type a name.
    This name is embedded in the certificate for X509 extension purposes.
    By assigning this name, you can protect multiple host names with a single SSL certificate.
  14. From the Security Type list, select FIPS.
  15. From the Key Type list, select RSA, DSA, or ECDSA.
  16. If you selected ECDSA, then from the Curve list, select an elliptic curve.
    Note: The elliptic curve secp521r1 is not supported on the F5® 10350v-FIPS hardware platform.
  17. Click Finished.
    The name of the self-signed certificate appears in the list of certificates on the system.

Requesting a FIPS-type CA-signed certificate

Use this task to create a request for a certificate with FIPS type security from a certificate authority.

  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management > SSL Certificate List .
    This displays the list of certificates installed on the system.
  2. Click Create.
    The New SSL Certificate screen opens.
  3. In the Name field, type a unique name for the certificate.
  4. From the Issuer list, specify the type of certificate that you want to use.
    • To request a certificate from a CA, select Certificate Authority.
    • For a self-signed certificate, select Self.
  5. Configure the Common Name setting and any other settings as needed.
  6. From the Security Type list, select FIPS.
  7. From the Key Type list, select RSA, DSA, or ECDSA.
  8. If you selected ECDSA, then from the Curve list, select an elliptic curve.
    Note: The elliptic curve secp521r1 is not supported on the F5® 10350v-FIPS hardware platform.
  9. Click Finished.

Converting a key to FIPS format

You can use the BIG-IP Configuration utility to convert an existing key to a FIPS key.
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management > SSL Certificate List
  2. Click a certificate name.
    This displays the properties of that certificate.
  3. On the menu bar, click Key.
    This displays the type and size of the key associated with the certificate.
  4. Click Convert to FIPS to convert the key to a FIPS key.
    The key is converted and appears in the list as a FIPS key. After the key is converted, this process cannot be reversed.

About SSL file import

You can import several types of SSL files onto the BIG-IP system.

Importing a certificate signed by a certificate authority

Before performing this task, confirm that a digital certificate signed by a certificate authority (CA) is available.
You can install an SSL certificate signed by a CA by importing a certificate that already exists on the hard drive of the management workstation. You can import a private key, a certificate or certificate bundle, or an archive.
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management .
    The Traffic Certificate Management screen opens.
  2. Click the Import button.
  3. From the Import Type list, select Certificate.
  4. For the Certificate Name setting:
    • If you are importing a new certificate, select Create New and type a unique name in the field.
    • If you are replacing an existing certificate, select Overwrite Existing and select a certificate name from the list.
  5. For the Certificate Source setting, do one of the following:
    • Select the Upload File option, and browse to the location of the certificate file.
    • Select the Paste Text option, and paste the certificate text copied from another source.
  6. Click Import.
After you perform this task, the SSL certificate that was signed by a CA is installed.

Importing an SSL key

You can use the BIG-IP Configuration utility to import an SSL key onto the BIG-IP system from another location.
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management .
    The Traffic Certificate Management screen opens.
  2. Click the Import button.
  3. From the Import Type list, select Key.
  4. For the Key Name setting, do one of the following:
    • Select the Create New option, and type a unique name in the field.
    • Select the Overwrite Existing option, and select a certificate name from the list.
  5. For the Key Source setting, do one of the following:
    • Select the Upload File option, and browse to the location of the key file.
    • Select the Paste Text option, and paste the key text copied from another source.
  6. In the Password field, type the password associated with the import source.
  7. from the Security Type list, select a security type.
  8. Click Import.
After you perform this task, the BIG-IP system imports the specified key.

Importing a PKCS-formatted file

You can use the BIG-IP Configuration utility to import file onto the BIG-IP system that is in Public Key Cryptography Standards (PKCS) number 12 format.
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management .
    The Traffic Certificate Management screen opens.
  2. Click the Import button.
  3. From the Import Type list, select PKCS 12 (IIS).
  4. For the Certificate Name setting, type a certificate name.
  5. For the Certificate Source setting, click Browse and locate the source file.
  6. In the Password field, type the password associated with the import source.
  7. from the Security Type list, select a security type.
  8. Click Import.
After you perform this task, the BIG-IP system imports the specified PKCS 12-formatted file.

Importing an archive file

You can use the BIG-IP Configuration utility to upload an archive file onto the BIG-IP system.
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management .
    The Traffic Certificate Management screen opens.
  2. Click the Import button.
  3. For the Upload Archive File setting, click Browse and select the file to be imported.
  4. Click the Load button.
After you perform this task, the BIG-IP system uploads an archive file onto the BIG-IP system.

Exporting an SSL certificate

You perform this task to export an SSL certificate to another device.
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management .
    The Traffic Certificate Management screen opens.
  2. Click the name of the certificate you want to export.
    The General Properties screen displays.
  3. Click Export.
    The Certificate Export screen displays the contents of the certificate in the Certificate Text box.
  4. To obtain the certificate, do one of the following:
    • Copy the text from the Certificate Text field, and paste it as needed into an interface on another system.
    • At the Certificate File option, click Download filename where the filename is the name of the certificate file, such as mycert.crt.

Viewing a list of certificates on the system

You can perform this task to view a list of existing digital certificates on the BIG-IP system.

  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management .
    The Traffic Certificate Management screen opens.
  2. In the Name column, view the list of certificates on the system.

Digital SSL certificate properties

From the BIG-IP Configuration utility, you can see the properties of the SSL digital certificates you have installed on the BIG-IP system.

Property Description
Certificate The name of the certificate.
Content The type of certificate content, for example, Certificate Bundle or Certificate and Key.
Common name The common name (CN) for the certificate. The common name embedded in the certificate is used for name-based authentication. The default common name for a self-signed certificate is localhost.localdomain.
Expiration date The date that the certificate expires. If the certificate is a bundle, this information shows the range of expiration dates that apply to certificates in the bundle.
Organization The organization name for the certificate. The organization name embedded in the certificate is used for name-based authentication. The default organization for a self-signed certificate is MyCompany.

About certificate bundle management

You can use the bundle manager to automatically update and install certificate authority (CA) bundles on the system from two sources: local certificate file objects and remote URL resources. By using the Include Bundles and Include URLs options, you can combine CA certificates from various sources to create a new, customized CA bundle. You can also use the Exclude Bundles and Exclude URLs options to remove certain CA certificates from the resulting CA bundle file. The newly created or modified CA bundle file is installed as a certificate-file-object on the system and used as a trusted CA bundle by other modules.

In addition, you can set the update frequency of the CA bundle, or use a web proxy for downloading the remote URL resources. By default, a newly created CA bundle manager does not create or update the managed CA bundle object. Exceptions are if the CA bundle manager has a positive update interval or is explicitly told to do so since you have set the Update Now option.

Creating a new certificate bundle

You can create a new certificate authority (CA) bundle, and specify bundles and URLs to include or exclude. You can also set the update frequency of the CA bundle, or use a web proxy for downloading the remote URL resources.

Note: The resulting bundle file will be named the same as the bundle manager object.
Note: By default, a newly created CA bundle manager does not create or update the managed CA bundle object unless the CA bundle manager has a positive Update Interval or is explicitly told to do so by the Update Now option.
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management > Bundle Manager List .
    The Bundle Manager List screen opens.
  2. Click Create.
  3. From the Include Bundles Available list, select the certificate file objects to include for generating a new CA bundle.
  4. In the Include URLs field, type the URL where remote CA bundles reside, and click Add to include that for generating the new CA bundle.
    Only HTTPS URLs are allowed in the Include URLs fields.
  5. From the Exclude Bundles Available list, select the certificate file objects to exclude from the new CA bundle.
  6. In the Exclude URLs field, type the URL where remote CA bundles reside, and click Add to exclude it from the new CA bundle.
    Only HTTPS URLs are allowed in the Exclude URLs fields.
  7. In the Update Interval field, type the number of days at which to refresh the remote CA bundles at the URLs.
    Note: The default value is set to 0 and indicates that the generated CA bundle is not dynamically updated.
  8. If you want the CA bundle manager to immediately refresh its generated CA bundle from all its sources and recalculate its certificate contents, select the Update Now check box.
    Note: The default value is disabled.
  9. From the Trusted CA-Bundle list, select the CA bundle that this CA bundle manager will use to download remote CA bundles in the include and exclude URLs.
  10. In the Proxy Server field, type the host name or IP address of the proxy server for accessing remote URL resources.
    Note: Only HTTP proxy is supported. You may optionally prepend http:// to the host name or IP address.
  11. In the Proxy Server Port field, type the port number of the proxy server for accessing remote URL resources.
    Note: The default is 3128.
  12. In the Download Timeout field, specify the timeout period, in seconds, to download the remote CA bundles from the URLs.
    The value range is from 1 to 3600 (1 hour) seconds.
    Note: The default value is 8 seconds.
  13. Click Finished.
The system installs a generated CA bundle file as a certificate-file-object on the system to be used as a trusted CA bundle by other modules.

Modifying an existing certificate bundle

You can use the bundle manager to modify an existing certificate authority (CA) bundle.

  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management > Bundle Manager List .
    The Bundle Manager List screen opens listing all existing CA bundles and their name, update interval, proxy server, trusted CA-bundle, and partition/path details.
  2. From the Bundle Manager List, click the name of the CA bundle that you want to modify.
    The Properties screen opens showing the selected CA bundle general properties and configuration details
  3. Select the Update Now check box if you want the bundle to be updated.
  4. Modify any of the configuration details needed, and click Update.
The system updates the selected CA bundle’s configuration with the modified configuration details.

Deleting an existing certificate bundle

You can use the bundle manager to delete an existing certificate authority (CA) bundle.
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management > Bundle Manager List .
    The Bundle Manager List screen opens listing all existing CA bundles and their name, update interval, proxy server, trusted CA-bundle, and partition/path details.
  2. Select the check box next to the name of the CA bundle that you want to delete.
  3. Click Delete.
    Note: You can also delete a CA bundle on the Properties screen by clicking Delete at the bottom of the screen.
    Note: Deleting the CA bundle manager does not delete the managed CA bundle file object. You should delete the CA bundle file object separately or you might receive an error message indicating that your managed CA bundle file object is referenced by a CA bundle manager.
This deletes the selected CA bundle from the system.