F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IP LTM
  4. BIG-IP Digital Certificates Administration, v14.1.0.1
  5. SSL Certificate Management
Manual Chapter : SSL Certificate Management

Applies To:

Show Versions Show Versions
Manual Chapter
Table of Contents | << Previous Chapter

SSL Certificate Management

Supported certificate/key types

The BIG-IP® system supports multiple cipher suites when offloading SSL operations from a target server on the network. The BIG-IP system can support cipher suites that use these algorithms:

  • Rivest Shamir Adleman (RSA)
  • Elliptic Curve Digital Signature Algorithm (ECDSA)
  • Digital Signature Algorithm (DSA)

When you generate a certificate request or a self-signed certificate, you specify the type of private key, which determines the specific signing or encryption algorithm that is used to generate the private key.

Note: On the BIG-IP system, limits on SSL transactions per second (TPS) with RSA cipher suites vary according to key size.

About RSA certificates

RSA (Rivest Shamir Adleman) is the original encryption algorithm that is based on the concept of a public and a private key. When a public site attempts to communicate with a device such as the BIG-IP® system, the device sends the site a public key that the site uses to encrypt data before sending that data back to the device. The device uses its private key associated with the public key to decrypt the data. Only the private key can be used to decrypt data encrypted with the public key.

The RSA encryption algorithm includes an authentication mechanism.

Note: On the BIG-IP system, limits on SSL transactions per second (TPS) with RSA cipher suites vary according to key size.

About DSA certificates

DSA (Digital Signature Algorithm) uses a different algorithm for signing key exchange messages than that of RSA. DSA is paired with a key exchange method such as Diffie-Hellman or Elliptical Curve Diffie-Hellman to achieve a comparable level of security to RSA. Because DSA is generally endorsed by federal agencies, specifying a DSA key type makes it easier to comply with new government standards, such as those for specific key lengths.

About ECDSA certificates

When creating certificates on the BIG-IP system, you can create a certificate with a key type of ECDSA (Elliptic Curve Digital Signature Algorithm). An ECDSA key is based on Elliptic Curve Cryptography (ECC), and provides better security and performance with significantly shorter key lengths.

Encryption based on ECC is ideally suited for mobile devices that cannot store large keys.

For example, an RSA key size of 2048 bits is equivalent to an ECC key size of only 224 bits. As a result, less computing power is required, resulting in faster, more secure connections. The BIG-IP system supports the eilliptic curves prime256v1, secp384r1, and secp521r1.

Note: The elliptic curve secp521r1 is not supported on the F5® 10350v-FIPS hardware platform.

About SSL certificate management

You can obtain a certificate for the BIG-IP system by using the BIG-IP® Configuration utility to generate a certificate signing request (CSR) that can then be submitted to a third-party trusted certificate authority (CA). The CA then issues a signed certificate.

In addition to requesting CA-signed certificates, you can create self-signed certificates. You create self-signed certificates primarily for testing purposes within an organization.

When you install the BIG-IP software, the application includes a default self-signed certificate. The BIG-IP system also includes a default CA bundle certificate. This certificate bundle contains certificates from most of the well-known CAs.

Note: To manage digital certificates for the BIG-IP system, you must have a role of Certificate Manager, Administrator, or Resource Administrator assigned to your BIG-IP user account.
Note: See additional information regarding SM2 options later in this section for importing, managing, and exporting a certificate and key with SM2 license. The BIG-IP system added SM2, SM3, and SM4 Cryptographic Algorithm support for the Chinese market. The algorithms were independently developed by the China State Cryptography Administration, where SM2 is the public key algorithm, SM3 is the hash algorithm, and SM4 is the block cipher algorithm. SM2 is based on the Elliptic Curve Discrete Logarithm Problem (ECDLP).

Creating a self-signed certificate that contains an ECDSA key type

You can use this task to create a self-signed certificate with an ECDSA key type. The certificate is used to authenticate and secure either client-side or server-side HTTP traffic.

  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management .
    The Traffic Certificate Management screen opens.
  2. Click Create.
  3. In the Name field, type a unique name for the SSL certificate.
  4. From the Issuer list, select Self.
  5. In the Common Name field, type a name.
    This is typically the name of a web site, such as www.siterequest.com.
  6. In the Division field, type your department name.
  7. In the Organization field, type your company name.
  8. In the Locality field, type your city name.
  9. In the or State or Province field, type your state or province name.
  10. From the Country list, select the name of your country.
  11. In the E-mail Address field, type your email address.
  12. In the Lifetime field, type a number of days, or retain the default, 365.
  13. In the Subject Alternative Name field, type a name.
    This name is embedded in the certificate for X509 extension purposes.
    By assigning this name, you can protect multiple host names with a single SSL certificate.
  14. From the Key Type list, select ECDSA.
  15. From the Curve list, select an elliptic curve:
    Option Description
    prime256v1 Creates a key that is 256 bits in length
    secp384r1 Creates a key that is 384 bits in length
    secp521r1 Creates a key that is 521 bits in length
    Note: In general, longer keys can impact performance but are more secure. Shorter keys result in better performance but are less secure.
  16. Click Finished.
    The name of the self-signed certificate appears in the list of certificates on the system.

Requesting a CA-signed certificate that contains an ECDSA key type

You can generate a certificate that includes an Elliptic Curve Digital Signature Algorithm (ECDSA) key type, and then copy it or submit it to a trusted certificate authority for signature.
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management .
    The Traffic Certificate Management screen opens.
  2. Click Create.
  3. In the Name field, type a unique name for the SSL certificate.
  4. From the Issuer list, select Certificate Authority.
  5. In the Common Name field, type a name.
    This is typically the name of a web site, such as www.siterequest.com.
  6. In the Division field, type your department name.
  7. In the Organization field, type your company name.
  8. In the Locality field, type your city name.
  9. In the or State or Province field, type your state or province name.
  10. From the Country list, select the name of your country.
  11. In the E-mail Address field, type your email address.
  12. In the Lifetime field, type a number of days, or retain the default, 365.
  13. In the Subject Alternative Name field, type a name.
    This name is embedded in the certificate for X509 extension purposes.
    By assigning this name, you can protect multiple host names with a single SSL certificate.
  14. In the Challenge Password field, type a password.
  15. In the Confirm Password field, re-type the password you typed in the Challenge Password field.
  16. From the Key Type list, select ECDSA.
  17. From the Curve list, select an elliptic curve:
    Option Description
    prime256v1 Creates a key that is 256 bits in length
    secp384r1 Creates a key that is 384 bits in length
    secp521r1 Creates a key that is 521 bits in length
    Note: In general, longer keys can impact performance but are more secure. Shorter keys result in better performance but are less secure.
  18. Do one of the following to download the request into a file on your system.
    • In the Request Text field, copy the certificate.
    • For Request File, click the button.
  19. Follow the instructions on the relevant certificate authority web site for either pasting the copied request or attaching the generated request file.
  20. Click Finished.
    The Certificate Signing Request screen displays.
The generated certificate is submitted to a trusted certificate authority for signature.

Creating a FIPS-type self-signed certificate

You can use this task to create a self-signed certificate to authenticate and secure either client-side or server-side HTTP traffic.

  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management .
    The Traffic Certificate Management screen opens.
  2. Click Create.
  3. In the Name field, type a unique name for the SSL certificate.
  4. From the Issuer list, select Self.
  5. In the Common Name field, type a name.
    This is typically the name of a web site, such as www.siterequest.com.
  6. In the Division field, type your department name.
  7. In the Organization field, type your company name.
  8. In the Locality field, type your city name.
  9. In the or State or Province field, type your state or province name.
  10. From the Country list, select the name of your country.
  11. In the E-mail Address field, type your email address.
  12. In the Lifetime field, type a number of days, or retain the default, 365.
  13. In the Subject Alternative Name field, type a name.
    This name is embedded in the certificate for X509 extension purposes.
    By assigning this name, you can protect multiple host names with a single SSL certificate.
  14. From the Security Type list, select FIPS.
  15. From the Key Type list, select RSA, DSA, or ECDSA.
  16. If you selected ECDSA, then from the Curve list, select an elliptic curve.
    Note: The elliptic curve secp521r1 is not supported on the F5® 10350v-FIPS hardware platform.
  17. Click Finished.
    The name of the self-signed certificate appears in the list of certificates on the system.

Requesting a FIPS-type CA-signed certificate

Use this task to create a request for a certificate with FIPS type security from a certificate authority.

  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management > SSL Certificate List .
    This displays the list of certificates installed on the system.
  2. Click Create.
    The New SSL Certificate screen opens.
  3. In the Name field, type a unique name for the certificate.
  4. From the Issuer list, specify the type of certificate that you want to use.
    • To request a certificate from a CA, select Certificate Authority.
    • For a self-signed certificate, select Self.
  5. Configure the Common Name setting and any other settings as needed.
  6. From the Security Type list, select FIPS.
  7. From the Key Type list, select RSA, DSA, or ECDSA.
  8. If you selected ECDSA, then from the Curve list, select an elliptic curve.
    Note: The elliptic curve secp521r1 is not supported on the F5® 10350v-FIPS hardware platform.
  9. Click Finished.

Converting a key to FIPS format

You can use the BIG-IP Configuration utility to convert an existing key to a FIPS key.
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management > SSL Certificate List
  2. Click a certificate name.
    This displays the properties of that certificate.
  3. On the menu bar, click Key.
    This displays the type and size of the key associated with the certificate.
  4. Click Convert to FIPS to convert the key to a FIPS key.
    The key is converted and appears in the list as a FIPS key. After the key is converted, this process cannot be reversed.

About SSL file import

You can import several types of SSL files onto the BIG-IP system.

Importing a certificate signed by a certificate authority

Before performing this task, confirm that a digital certificate signed by a certificate authority (CA) is available.
You can install an SSL certificate signed by a CA by importing a certificate that already exists on the hard drive of the management workstation. You can import a private key, a certificate or certificate bundle, or an archive.
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management .
    The Traffic Certificate Management screen opens.
  2. Click the Import button.
  3. From the Import Type list, select Certificate.
  4. For the Certificate Name setting:
    • If you are importing a new certificate, select Create New and type a unique name in the field.
    • If you are replacing an existing certificate, select Overwrite Existing and select a certificate name from the list.
  5. For the Certificate Source setting, do one of the following:
    • Select the Upload File option, and browse to the location of the certificate file.
    • Select the Paste Text option, and paste the certificate text copied from another source.
  6. Click Import.
After you perform this task, the SSL certificate that was signed by a CA is installed.

Importing an SSL key

You can use the BIG-IP Configuration utility to import an SSL key onto the BIG-IP system from another location.
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management .
    The Traffic Certificate Management screen opens.
  2. Click the Import button.
  3. From the Import Type list, select Key.
  4. For the Key Name setting, do one of the following:
    • Select the Create New option, and type a unique name in the field.
    • Select the Overwrite Existing option, and select a certificate name from the list.
  5. For the Key Source setting, do one of the following:
    • Select the Upload File option, and browse to the location of the key file.
    • Select the Paste Text option, and paste the key text copied from another source.
  6. In the Password field, type the password associated with the import source.
  7. from the Security Type list, select a security type.
  8. Click Import.
After you perform this task, the BIG-IP system imports the specified key.

Importing a PKCS-formatted file

You can use the BIG-IP Configuration utility to import file onto the BIG-IP system that is in Public Key Cryptography Standards (PKCS) number 12 format.
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management .
    The Traffic Certificate Management screen opens.
  2. Click the Import button.
  3. From the Import Type list, select PKCS 12 (IIS).
  4. For the Certificate Name setting, type a certificate name.
  5. For the Certificate Source setting, click Browse and locate the source file.
  6. In the Password field, type the password associated with the import source.
  7. from the Security Type list, select a security type.
  8. Click Import.
After you perform this task, the BIG-IP system imports the specified PKCS 12-formatted file.

Importing a PKCS-formatted file with SM2 license

You can use the BIG-IP Configuration utility to import file onto the BIG-IP system that is in Public Key Cryptography Standards (PKCS) number 12 format with an SM2 license.
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management .
    The Traffic Certificate Management screen opens.
  2. Click the Import button.
  3. From the Import Type list, select PKCS 12 (IIS).
  4. For the Certificate and Key Name setting, select New and type a certificate name.
  5. For the Certificate and Key Source setting, click SM2. Click Choose File for both Signing and Encryption to select the associated source files.
  6. In the Password field, type the password associated with the import source.
  7. From the Key Security list, sselect a security type to specify the level of security to use when importing and storing a key. For example a Security Type of Password means that you specify a password to protect the imported key. The password must be provided when the key is used. The default is Normal.
    • Normal: Specifies that the key file is imported without password protection. In this case, the key resides in a standard form on the file system.
    • Password: Specifies that the key is protected by a passphrase and stored in encrypted form. When you select this option, you must also specify a passphrase in the Password text box.
  8. Click Import.
After you perform this task, the BIG-IP system imports the specified PKCS 12-formatted file with a SM2 license.

You are now ready to create a SM2 cihper rule and cipher group to use when creating a customer Client SSL profile that supports SM2. See the Create a custom Client SSL profile that supports SM2 section in this guide for detailed steps.

Importing an archive file

You can use the BIG-IP Configuration utility to upload an archive file onto the BIG-IP system.
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management .
    The Traffic Certificate Management screen opens.
  2. Click the Import button.
  3. For the Upload Archive File setting, click Browse and select the file to be imported.
  4. Click the Load button.
After you perform this task, the BIG-IP system uploads an archive file onto the BIG-IP system.

Exporting an SSL certificate

You perform this task to export an SSL certificate to another device.
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management .
    The Traffic Certificate Management screen opens.
  2. Click the name of the certificate you want to export.
    The General Properties screen displays.
  3. Click Export.
    The Certificate Export screen displays the contents of the certificate in the Certificate Text box.
  4. To obtain the certificate, do one of the following:
    • Copy the text from the Certificate Text field, and paste it as needed into an interface on another system.
    • At the Certificate File option, click Download filename where the filename is the name of the certificate file, such as mycert.crt.

Exporting an SSL certificate to another device with an SM2 license

You perform this task to export an SSL certificate to another device with an SM2 license.
  1. On the Main tab, click System > Certificate Managment > Traffic Certificate Managment .
    The Traffic Certificate Management screen opens.
  2. Click the name of the SM2 certificate you want to export.
    The General Properties screen displays.
  3. Click Export.
    The Certificate Export screen displays the contents of the certificate in the Certificate Text box.
  4. To obtain the certificate, do one of the following:
    1. Copy the text from the Certificate Text field, and paste it as needed into an interface on another system with an SM2 license.
    2. At the Certificate File option, click Download Filename where the filename of the certificate file, such as mycert.crt.
After you perform this task, the BIG-IP system uploads an archive file onto the BIG-IP system.

Viewing a list of certificates on the system

You can perform this task to view a list of existing digital certificates on the BIG-IP system.

  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management .
    The Traffic Certificate Management screen opens.
  2. In the Name column, view the list of certificates on the system.

Viewing a list of SM2 certificates on the system

You can perform this task to view a list of existing digital certificates on the BIG-IP system.
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management .
    The Traffic Certificate Management screen opens.
  2. In the Name column, select your SM2 certificate and key to view the details on the system. The Contents column will also indicate the item is a SM2 Certificate & Key.
You can now view your SM2 certificate and key details.

Digital SSL certificate properties

From the BIG-IP Configuration utility, you can see the properties of the SSL digital certificates you have installed on the BIG-IP system.

Property Description
Certificate The name of the certificate.
Content The type of certificate content, for example, Certificate Bundle or Certificate and Key.
Common name The common name (CN) for the certificate. The common name embedded in the certificate is used for name-based authentication. The default common name for a self-signed certificate is localhost.localdomain.
Expiration date The date that the certificate expires. If the certificate is a bundle, this information shows the range of expiration dates that apply to certificates in the bundle.
Organization The organization name for the certificate. The organization name embedded in the certificate is used for name-based authentication. The default organization for a self-signed certificate is MyCompany.

About certificate bundle management

You can use the bundle manager to automatically update and install certificate authority (CA) bundles on the system from two sources: local certificate file objects and remote URL resources. By using the Include Bundles and Include URLs options, you can combine CA certificates from various sources to create a new, customized CA bundle. You can also use the Exclude Bundles and Exclude URLs options to remove certain CA certificates from the resulting CA bundle file. The newly created or modified CA bundle file is installed as a certificate-file-object on the system and used as a trusted CA bundle by other modules.

In addition, you can set the update frequency of the CA bundle, or use a web proxy for downloading the remote URL resources. By default, a newly created CA bundle manager does not create or update the managed CA bundle object. Exceptions are if the CA bundle manager has a positive update interval or is explicitly told to do so since you have set the Update Now option.

Creating a new certificate bundle

You can create a new certificate authority (CA) bundle, and specify bundles and URLs to include or exclude. You can also set the update frequency of the CA bundle, or use a web proxy for downloading the remote URL resources.

Note: The resulting bundle file will be named the same as the bundle manager object.
Note: By default, a newly created CA bundle manager does not create or update the managed CA bundle object unless the CA bundle manager has a positive Update Interval or is explicitly told to do so by the Update Now option.
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management > Bundle Manager List .
    The Bundle Manager List screen opens.
  2. Click Create.
  3. From the Include Bundles Available list, select the certificate file objects to include for generating a new CA bundle.
  4. In the Include URLs field, type the URL where remote CA bundles reside, and click Add to include that for generating the new CA bundle.
    Only HTTPS URLs are allowed in the Include URLs fields.
  5. From the Exclude Bundles Available list, select the certificate file objects to exclude from the new CA bundle.
  6. In the Exclude URLs field, type the URL where remote CA bundles reside, and click Add to exclude it from the new CA bundle.
    Only HTTPS URLs are allowed in the Exclude URLs fields.
  7. In the Update Interval field, type the number of days at which to refresh the remote CA bundles at the URLs.
    Note: The default value is set to 0 and indicates that the generated CA bundle is not dynamically updated.
  8. If you want the CA bundle manager to immediately refresh its generated CA bundle from all its sources and recalculate its certificate contents, select the Update Now check box.
    Note: The default value is disabled.
  9. From the Trusted CA-Bundle list, select the CA bundle that this CA bundle manager will use to download remote CA bundles in the include and exclude URLs.
  10. In the Proxy Server field, type the host name or IP address of the proxy server for accessing remote URL resources.
    Note: Only HTTP proxy is supported. You may optionally prepend http:// to the host name or IP address.
  11. In the Proxy Server Port field, type the port number of the proxy server for accessing remote URL resources.
    Note: The default is 3128.
  12. In the Download Timeout field, specify the timeout period, in seconds, to download the remote CA bundles from the URLs.
    The value range is from 1 to 3600 (1 hour) seconds.
    Note: The default value is 8 seconds.
  13. Click Finished.
The system installs a generated CA bundle file as a certificate-file-object on the system to be used as a trusted CA bundle by other modules.

Modifying an existing certificate bundle

You can use the bundle manager to modify an existing certificate authority (CA) bundle.

  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management > Bundle Manager List .
    The Bundle Manager List screen opens listing all existing CA bundles and their name, update interval, proxy server, trusted CA-bundle, and partition/path details.
  2. From the Bundle Manager List, click the name of the CA bundle that you want to modify.
    The Properties screen opens showing the selected CA bundle general properties and configuration details
  3. Select the Update Now check box if you want the bundle to be updated.
  4. Modify any of the configuration details needed, and click Update.
The system updates the selected CA bundle’s configuration with the modified configuration details.

Deleting an existing certificate bundle

You can use the bundle manager to delete an existing certificate authority (CA) bundle.
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management > Bundle Manager List .
    The Bundle Manager List screen opens listing all existing CA bundles and their name, update interval, proxy server, trusted CA-bundle, and partition/path details.
  2. Select the check box next to the name of the CA bundle that you want to delete.
  3. Click Delete.
    Note: You can also delete a CA bundle on the Properties screen by clicking Delete at the bottom of the screen.
    Note: Deleting the CA bundle manager does not delete the managed CA bundle file object. You should delete the CA bundle file object separately or you might receive an error message indicating that your managed CA bundle file object is referenced by a CA bundle manager.
This deletes the selected CA bundle from the system.

About certificate order management

The BIG-IP system supports a unified interface for F5 customers to manage Certificate Authority (CA) certificate operations within the BIG-IP. Currently, F5 supports Certificate Authorities Comodo (now known as Sectigo) and Symantec (purchased by Digicert) by automating certificate management with trusted certificate authorities. You can generate, renew, and revoke certificates as necessary after setting up general properties, authentication details, certificate authority request order information, and internal proxy connection details.

A CA request is made up of multiple pieces of information from both the Certificate Order Manager and the Certificate Signing Request (CSR). This information is combined in the API request sent to the vendor. For example, the Certificate Order Manager object maintains information about contacting the CA, including authentication information and URI. It also maintains information about the type of certificate product being purchased from the vendor. The CSR, created during the certificate key creation in TMOS, maintains information about the specific host, or hosts, that the certificate is intended to cover (such as their common name, email address, and other information). With this information combined in the API request and sent to the vendor, it allows you to configure one certificate order for multiple certificates that use common certificate types and durations.

Note: Make sure to read the Certificate Authority documentation you select so to better understand and note specific CA requirements, APIs, and other information that you will need so to complete the new certificate order information fields. Each Certificate Authority requires different information to generate a CA order. You will need to map the external CA information in their documentation to the fields in this task.
Note: Digicert and Symantec still have their own APIs. F5’s BIG-IP certificate order only works with the Symantec legacy API and not the Digicert API. Please refer to your CA’s documentation for API details.

Generating a new certificate order (Comodo)

  • Before setting up the CA order, you must first do one of the following:
    • Setup a DNS responder in the system. Note: This does not apply to the DNS setup done during the system setup wizard.
    • Setup and configure a proxy server pool in your system's environment.
  • Make sure you have an account with the CA that is being setup for API access.

To generate a new Comodo certificate order, use the following steps.

Comodo is now known as Sectigo. For Comodo certificate manager tool and account information, see the official Sectigo web site. Make sure to read the Sectigo documentation and refer to it as necessary to understand their requirements, APIs, and other information that will help you complete the new certificate order information fields. In this documentation, and in the BIG-IP UI, F5 refers to Comodo as the CA name.

Note: Each CA requires different information to create a CA order. Depending on the CA you select, certificate order fields will vary and are tailored to be vendor specific. The certificate order manager information will be paired with the CSR information, which is created when configuring the certificate key in TMOS (this maintains information about the specific host or hosts that the certificate is intended to cover, such as their common name, email address, etc.). These are combined in the API request that is sent to the vendor.
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management > Certificate Order Manager List . The Certificate Order Manager List screen opens.
  2. Click Create.
  3. In the Name field, type a unique name for the certificate order manager. If you create a group of keys, this name will represent them.
  4. From the Certificate Authority list, select Comodo.
    Note: Comodo is the default certificate authority selected.
  5. The Auto Renew field is selected by default.
  6. In the Login Name field, type a unique login name. Use the same login name you use with your Comodo CA account.
  7. In the Login Password field, type a password. Use the same login password you use with your Comodo CA account.
    Note: For Comodo, F5 recommends you use a dedicated user for API access with limited rights to specific items rather than the overall administrator object used at log in.
  8. In the Validity Days field, type the number of days the certificate authority request remains valid.
    Note: Check with your specific CA account to enter a valid number of days. Most CAs allow you to select in 365 day increments.
    Note: For Comodo, this number must later match one of the options configured in the CCM for the certificate type.
  9. In the Base URL field, type your CA account’s base URL if it is different from the default base URL provided by the CA.
  10. In the Additional HTTP Headers field, type the CA’s specific key value pair (separated by a colon). You can add additional key value pairs by separating them with a semicolon. In this instance, the key is the unique customer URI and the value is specific to the user. For example, you must have the following string: customerURI:<customer uri>. The <customer uri> is replaced with the actual customer URI.
    Note: Check with your specific CA account documentation to determine how to use their API information and determine required additional HTTP header information.
    Note: This field is required for the Comodo CA order. When you create an account with Comodo, the customer URI is unique to Comodo CA and is provided for customer use. The Comodo customer URI is found by looking at the URI used to access the Comodo certificate manager. For example, if the URI for Comodo is https://cert-manager.com/customer/my-customer-uri/locale=en#0, then the customer URI is between customer/ and before /locale and is, in this example, my-customer-uri.
  11. From the CA Certificate list, select the trusted CA certificate/certificate bundle to authenticate the TLS connection with the CA server. The default CA bundle is ca-bundle.
  12. In the Order Information fields, fill in the information required by your selected CA.
    Note: Each CA will require different order information and will display different required fields. Check your CA’s official documentation to provide required values.
    Note: The options in the Order Information field are based on the CA you chose in the General Properties and are required to successfully generate a new certificate order. As you fill in the name Values, the text field at the bottom of the Order Information section will automatically populate with your CA configuration.
    1. Select the Edit as text box if you would like to alternatively type, or copy and paste, your existing CA configuration information directly into the field provided at the bottom of the Order Information section. If you add the CA configuration information in this manner, the required fields in Order Information will be automatically populated with the values you input for each required Name field.
      Note: For Comodo, after entering the OrgID, enter -1 in the Server Type field to indicate that the certificate is for the server type other.
    2. Use your CA account documentation to complete the required configuration fields provided.
    3. Click Add to add additional Name and Value fields from the list. This list is of names you can add are specific to the CA account you have chosen.
      Note: For Comodo CA, you can also click Add next to the Custom Fields name and type a custom Name not available in the list.
    4. Click Delete after selecting to remove any additional Name and Value fields you have added.
      Note: You may not delete any CA API information required by your CA.
    Note: As you enter values in this section and the text field auto fills with your configuration details, you can see the original name of the keys in the CA API.
    Table 1. Mapping of required F5 names to the original name of the keys in the Comodo CA API
    F5 Names in Order Information Vendor Keys in the CA API
    Org ID orgId
    Server Type serverType
    Note: F5 recommends that you verify the order information with the vendor before using in production.
  13. In the Internal Proxy fields, do the following to setup an internal proxy to allow outside communications:
    1. Select New Internal Proxy or Internal Proxy List.
      Note: You can also manage existing internal proxies, or create new internal proxies, by selecting System > Services > Internal Proxies and either select an existing internal proxy name to edit or click Create to create a new one.
      • New Internal Proxy: If you select to create a new internal proxy, you must type a name, specify if you are using a proxy server (and provide Proxy Server Pool details), specify the DNS Resolver and Route Domain (optional) information.
      • Internal Proxy List: If you select to use an existing internal proxy list, select it from the available items in the list.
  14. Click Finished.
You have now successfully generated a new Comodo certificate order manager object.
You are now ready to create:
  • a new SSL certificate
  • check certificate request status
  • renew a certificate

  • revoke a certificate.

Generating a new certificate order (Symantec)

  • Before setting up the CA order, you must first do one of the following:
    • Setup a DNS responder in the system. Note: This does not apply to the DNS setup done during the system setup wizard.
    • Setup and configure a proxy server pool in your system's environment.
  • Make sure you have an account with the CA that is being setup for API access.

To generate a new Symantec certificate order, use the following steps.

Symantec is now known as Digicert (after Digicert purchased Symantec). In this documentation, and in the BIG-IP UI, F5 refers to Symantec as the CA name. For Symantec certificate manager tool and account information, see the official Symantec (or Digicert as needed) web site. Digicert currently maintains Symantec’s API for Symantec’s customers. However, existing Digicert customers will not be able to use the Symantec APIs. In this documentation, and in the BIG-IP UI, F5 refers to Symantec as the CA name.

Note: Each CA requires different information to generate a CA order. Depending on the CA you select, certificate order fields will vary and are tailored to be vendor specific. The certificate order manager information will be paired with the CSR information, which is created when configuring the certificate key in TMOS (this maintains information about the specific host or hosts that the certificate is intended to cover, such as their common name, email address, etc.). These are combined in the API request that is sent to the vendor.
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management > Certificate Order Manager List . The Certificate Order Manager List screen opens.
  2. Click Create.
  3. In the Name field, type a unique name for the certificate order manager. If you create a group of keys, this name will represent them.
  4. From the Certificate Authority list, select Symantec.
    Note: Comodo is the default certificate authority selected.
  5. The Auto Renew field is selected by default.
  6. From the Client Certificate list, select the required client certificate.
    Note: For Symantec, the user must be authorized for the VICE2 web services application role (W in the Roles list). This can be checked by logging into your Symantec account.
  7. From the Client Key list, select the required client key.
  8. In the Key Passphrase field, type the CA’s key passphrase.
  9. In the Validity Days field, type the number of days the certificate authority request remains valid.
    Note: Check with your specific CA account to enter a valid number of days. Most CAs allow you to select in 365 day increments.
  10. In the Base URL field, type your CA account’s base URL if it is different from the default base URL provided by the CA.
  11. Leave the Additional HTTP Headers field blank. Symantec does not require this information.
  12. From the CA Certificate list, select the trusted CA certificate/certificate bundle to authenticate the TLS connection with the CA server. The default CA bundle is ca-bundle.
  13. In the Order Information fields, fill in the information required by your selected CA.
    Note: Each CA will require different order information and will display different required fields. Check your CA’s official documentation to provide required values.
    Note: The options in the Order Information field are based on the CA you chose in the General Properties and are required to successfully generate a new certificate order. As you fill in the name Values, the text field at the bottom of the Order Information section will automatically populate with your CA configuration.
    1. Select the Edit as text box if you would like to alternatively type, or copy and paste, your existing CA configuration information directly into the field provided at the bottom of the Order Information section. If you add the CA configuration information in this manner, the required fields in Order Information will be automatically populated with the values you input for each required Name field.
    2. Use your CA account documentation to complete the required configuration fields provided.
    3. Click Add to add additional Name and Value fields from the list. This list is of names you can add are specific to the CA account you have chosen.
    4. Click Delete after selecting to remove any additional Name and Value fields you have added.
      Note: You may not delete any CA API information required by your CA.
    Note: As you enter values in this section and the text field auto fills with your configuration details, you can see the original name of the value Names.
    Table 2. Mapping required F5 names to the original name of the keys in the Symantec CA API
    F5 Names in Order Information Vendor Keys in the CA API
    First Name firstName
    Last Name lastName
    Email email
    Product Type certProductType
    Server Type serverType
    Note: F5 recommends that you verify the order information with the vendor before using in production.
  14. In the Internal Proxy fields, do the following to setup an internal proxy to allow outside communications:
    1. Select New Internal Proxy or Internal Proxy List.
      Note: You can also manage existing internal proxies, or create new internal proxies, by selecting System > Services > Internal Proxies and either select an existing internal proxy name to edit or click Create to create a new one.
      • New Internal Proxy: If you select to create a new internal proxy, you must type a name, specify if you are using a proxy server (and provide Proxy Server Pool details), specify the DNS Resolver and Route Domain (optional) information.
      • Internal Proxy List: If you select to use an existing internal proxy list, select it from the available items in the list.
  15. Click Finished.
You have now successfully generated a new Symantec certificate order manager object.
You are now ready to create:
  • a new SSL certificate
  • check certificate request status
  • renew a certificate

  • revoke a certificate.

Creating a new SSL certificate and key

After creating a new certificate order you will need to request a new certificate from the CA. In order to create a certificate, you will generate a key and Certificate Signing Request (CSR), followed by uploading the CSR to the CA. The CA then generates that will be downloaded and imported into the BIG-IP.
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management > SSL Certificate List . The SSL Certificate List screen opens.
  2. Click Create. The New SSL Certificate screen opens.
  3. In the Name field, type a unique name for the new SSL certificate.
  4. From the Issuer list, select Certificate Authority to create a request for a certificate/key pair to be sent to a certificate authority. When you send a request to a certificate authority, the certificate authority returns a signed certificate which you then install on the system.
  5. In the Common Name field, type the common name attribute for the certificate. The common name is embedded in the certificate for name-based authentication purposes.
  6. Configure any necessary fields in the Certificate Signing Request Attributes section.
  7. From the Certificate Order Manager list, select the certificate order manager created in the Certificate Order Manager List screen.
  8. From the Order Type list, select New.
  9. In the Order Passphrase field, type a password that contains at least one special character, one numeric digit, one lowercase letter, and one uppercase letter.
    Note: This is only required for Symantec.
  10. Click Finished. The Certificate Signing Request screen opens.
  11. Review any necessary details and click Finished.
  12. Select the Key tab. The CA’s Key Properties and Certificate Order Properties screen opens.
  13. In the Certificate Order field, Order Status will first show In Progress, followed by a status of New Oder Pending, and finishing with New Order Approved.
    Note: Click Refresh to update the UI as necessary.
  14. Click Download Certificate(s) Now to manually check for the status of the order and download the certificate if it has been approved. Click Refresh for the page to be updated with the result. The Order Status field now shows New Order Approved.
  15. Select the Certificate tab. Note that the certificate has now been installed (view details shared in the Certificate Properties section.
Your new CA certificate has been successfully installed.

Renewing an existing SSL certificate and key

To renew an existing SSL certificate and key, use the following steps.
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management > SSL Certificate List . The SSL Certificate List screen opens.
  2. From the Name column, select the existing CA certificate and key you want to renew from the list. The Certificate screen opens.
  3. Select the Key tab. The Key screen opens showing the Key Properties and the Certificate Order Properties.
  4. In the Certificate Order section, do the following if you selected a Comodo certificate and key from the list:
    1. From the Type list, select Renew.
    2. In the ID field, type the order ID.
      Note: The order ID is provided by the CA and the BIG-IP stores it in the order ID field. The order ID is required for a certificate to be renewed. If the first certificate was not originally ordered from the BIG-IP, you must manually enter the order ID before renewing a certificate.
    3. Click Update. The Order Status field will show Revoke Order Approved. If any necessary information is not filled in, the Order Status will change to New Order Rejected.
  5. In the Certificate Order section, do the following if you selected a Symantec certificate and key from the list:
    1. From the Type list, select Renew.
    2. In the Passphrase field, you must type the required challenge passphrase for your certificate order to be approved.
    3. In the ID field, make sure the order ID is present.
      Note: The order ID is provided by the CA and the BIG-IP stores it in the order ID field. The order ID is required for a certificate to be renewed. If the first certificate was not originally ordered from the BIG-IP, you must manually enter the order ID before renewing a certificate.
    4. Click Update. The Order Status field will change to Revoke Order Approved.
    Note: From the Type list, you can also select New to create a new certificate order to the CA.
You have successfully renewed your existing SSL certificate and key.

Revoking an existing SSL certificate and key

To revoke an existing SSL certificate and key, use the following steps. Revoking an existing certificate and key can be necessary if it has been compromised, its affiliation has changed, and other reasons.
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management > SSL Certificate List . The SSL Certificate List screen opens.
  2. From the Name column, select the existing CA certificate and key you want to revoke from the list. The Certificate screen opens.
  3. Select the Key tab. The Key screen opens showing the Key Properties and the Certificate Order Properties.
  4. In the Certificate Order section, do the following if you selected a Comodo certificate and key from the list:
    1. From the Type list, select Revoke.
    2. From the Revoke Reason list, select the reason you are revoking the existing SSL certificate and key.
    3. In the ID field, type the order ID.
      Note: The order ID is provided by the CA and the BIG-IP stores it in the order ID field. The order ID is required for a certificate to be revoked. If the first certificate was not originally ordered from the BIG-IP, you must manually enter the order ID before revoking a certificate.
    4. Click Update. The Order Status field will change to Revoke Order Approved. If any necessary information is not filled in, the Order Status will change to New Order Rejected.
  5. In the Certificate Order section, do the following if you selected a Symantec certificate and key from the list:
    1. From the Type list, select Revoke.
    2. In the Passphrase field, you must type the required challenge passphrase for your certificate order revoke request to be approved.
    3. In the ID field, make sure the order ID is present.
      Note: The order ID is provided by the CA and the BIG-IP stores it in the order ID field. The order ID is required for a certificate to be revoked. If the first certificate was not originally ordered from the BIG-IP, you must manually enter the order ID before revoking a certificate.
    4. Click Update. The Order Status field will change to Revoke Order Approved.
    Note: From the Type list, you can also select Cancel to cancel the previous certificate order to the CA. However, if the order was already sent to the server, the CA will still issue a certificate and cannot be cancelled.
You have successfully revoked your existing SSL certificate and key.

Modifying an existing certificate order manager

To modify an existing certificate order manager, use the following steps:
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management > Certificate Order Manager List . The Certificate Order Manager List screen opens.
  2. Click the Name of the certificate you want to modify.
  3. Modify necessary fields and click Update.
You have now successfully modified an existing certificate order.

Deleting an existing certificate order manager

To delete an existing certificate order manager, use the following steps:
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management > Certificate Order Manager List . The Certificate Order Manager List screen opens.
  2. Select the check box next to the Name of the certificate you want to delete.
  3. Click Delete.
You have now successfully deleted an existing certificate order.
Table of Contents | << Previous Chapter
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information