Manual Chapter : Managing External HSM Keys for LTM

Applies To:

Show Versions Show Versions

BIG-IP DNS

  • 14.1.0

BIG-IP AFM

  • 14.1.0

BIG-IP ASM

  • 14.1.0

BIG-IP AAM

  • 14.1.0

BIG-IP APM

  • 14.1.0

BIG-IP LTM

  • 14.1.0
Manual Chapter

Managing External HSM Keys for LTM

Generating a key/certificate using tmsh

You can use the Traffic Management Shell (tmsh) to generate a key and certificate.
  1. Log in to the command-line interface of the system using an account with administrator privileges.
  2. Open the TMOS Shell (tmsh).
    tmsh
  3. Generate the key.
    create sys crypto key <key_name> gen-certificate common-name <cert_name>
    partition-name <partition-name>
    security-type nethsm

    This example generates an external HSM key named test_key and a certificate named test_nethsm.com with the security type of nethsm at HSM partition named "test_part1":

    create sys crypto key test_key gen-certificate common-name test_nethsm.com partition-name test_part1 security-type nethsm
  4. Verify that the key was created.
    list sys crypto key test_key.key
    Information about the key displays:
                               
    sys crypto key test_key.key {
    key-id <32-digit string>
    key-size 2048
    key-type rsa-private
    nethsm-partition test_part1
    security-type nethsm
    }
                      
                            
    
When you generate a key/certificate using tmsh, the system creates a HSM private key. It also creates a local key, which points to the HSM key, residing in the HSM.

Creating a self-signed digital certificate

If you are configuring the BIG-IP system to manage client-side HTTP traffic, you perform this task to create a self-signed certificate to authenticate and secure the client-side HTTP traffic. If you are also configuring the system to manage server-side HTTP traffic, you must repeat this task to create a second self-signed certificate to authenticate and secure the server-side HTTP traffic.
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management .
    The Traffic Certificate Management screen opens.
  2. Click Create.
  3. In the Name field, type a unique name for the SSL certificate.
  4. From the Issuer list, select Self.
  5. In the Common Name field, type a name.
    This is typically the name of a web site, such as www.siterequest.com.
  6. In the Division field, type your department name.
  7. In the Organization field, type your company name.
  8. In the Locality field, type your city name.
  9. In the or State or Province field, type your state or province name.
  10. From the Country list, select the name of your country.
  11. In the E-mail Address field, type your email address.
  12. In the Lifetime field, type a number of days, or retain the default, 365.
  13. In the Subject Alternative Name field, type a name.
    This name is embedded in the certificate for X509 extension purposes.
    By assigning this name, you can protect multiple host names with a single SSL certificate.
  14. From the Security Type list, select NetHSM.
  15. From the Key Type list, RSA is selected as the default key type.
  16. From the Size list, select a size, in bits.
  17. Click Finished.

Importing a key from the HSM

You can use the BIG-IP Configuration utility to import an key from the HSM.
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management . The Traffic Certificate Management screen opens.
  2. Click the Import button.
  3. From the Import Type list, select Key.
  4. For the Key Name setting, select the New or the Overwrite Existing option and find the key label from your HSM for the key you are going to import.
  5. For the Key Source setting, select From NetHSM and use the key label on NetHSM as the key name.
  6. From the NetHSM Partition list, select Default Partition or choose from any other partitions available.
  7. Click Import.
After you perform this task, the BIG-IP system imports the specified key.

Importing a key from the HSM (using the tmsh)

You can use the Traffic Management Shell (tmsh) to install a key to the BIG-IP from a specified partition at NetHSM.
  1. Log in to the command-line interface of the system using an account with administrator privileges.
  2. Open the TMOS Shell (tmsh).
    tmsh
  3. Install a key.
    tmsh install sys crypto key <key-name> security-type nethsm nethsm-partition-name <partition-name>
  4. Verify that the key was installed.

Creating a new key at a specified partition at NetHSM

You can create a new key at a specified partition at NetHSM by doing the following.
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management > SSL Certificate List . The SSL Certificate List screen opens.
  2. Click Create. The New SSL Certificate screen opens.
  3. In the Name field, type a unique name for the certificate.
  4. From the Issuer list, specify the type of certificate that you want to use.
    1. To request a certificate from a CA, select Certificate Authority.
    2. For a self-signed certificate, select Self.
  5. In the Common Name field, enter a name (such as nethsm_ecdsa).
  6. From the Security Type list, select NetHSM.
  7. From the NetHSM Partition list, select Default Partition or any other partition name available.
  8. From the Key Type list, select RSA, DSA, or ECDSA.
  9. If you selected ECDSA, then from the Curve list, select an elliptic curve.
    Note: The elliptic curve secp521r1 is not supported on the F5 10350v-FIPS hardware platform.
  10. Click Finished.

Creating a new key at a specified partition at NetHSM (using the tmsh)

You can use the Traffic Management Shell (tmsh) to create a new key at a specified partition at NetHSM.
Note: If you do not specify the partition name, the first available HSM partition will be used to create the key. The partition name associated with this key will be named "auto" in BIG-IP.
  1. Log in to the command-line interface of the system using an account with administrator privileges.
  2. Open the TMOS Shell (tmsh).
    tmsh
  3. Create a new key.
    tmsh create sys crypto key <key-name> security-type nethsm  nethsm-partition-name <partition-name>
    Note: If you do not specify a partition name, the first detected partition will be used.
  4. Verify that the new key was created.

Requesting a certificate from a certificate authority

You perform this task to generate a certificate signing request (CSR) that can then be submitted to a third-party trusted certificate authority (CA).
Note: F5 Networks recommends that you consult the CA to determine the specific information required for each step in this task.
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management .
    The Traffic Certificate Management screen opens.
  2. Click Create.
  3. In the Name field, type a unique name for the SSL certificate.
  4. From the Issuer list, select Certificate Authority.
  5. In the Common Name field, type a name.
    This is typically the name of a web site, such as www.siterequest.com.
  6. In the Division field, type your department name.
  7. In the Organization field, type your company name.
  8. In the Locality field, type your city name.
  9. In the or State or Province field, type your state or province name.
  10. From the Country list, select the name of your country.
  11. In the E-mail Address field, type your email address.
  12. In the Lifetime field, type a number of days, or retain the default, 365.
  13. In the Subject Alternative Name field, type a name.
    This name is embedded in the certificate for X509 extension purposes.
    By assigning this name, you can protect multiple host names with a single SSL certificate.
  14. In the Challenge Password field, type a password.
  15. In the Confirm Password field, re-type the password you typed in the Challenge Password field.
  16. From the Security Type list, select NetHSM.
  17. From the Key Type list, RSA is selected as the default key type.
  18. From the Size list, select a size, in bits.
  19. Click Finished.
    The Certificate Signing Request screen displays.
  20. Do one of the following to download the request into a file on your system.
    • In the Request Text field, copy the certificate.
    • For Request File, click the button.
  21. Follow the instructions on the relevant certificate authority web site for either pasting the copied request or attaching the generated request file.
  22. Click Finished.
    The Certificate Signing Request screen displays.
The generated certificate signing request is submitted to a trusted certificate authority for signature.

Deleting a key from the BIG-IP

You perform this task to delete an existing key from the BIG-IP.
  1. On the Main tab, click System > Certificate Management > Traffic Certificate Management .
    The Traffic Certificate Management screen opens.
  2. From the SSL Certificate List, select the check box next to the key you wish to delete.
  3. Click Delete.
The key you selected is deleted from BIG-IP.
Note: The key stored in NetHSM is not deleted.

Creating a client SSL profile to use an external HSM key and certificate

After you have added the external HSM key and certificate to the BIG-IP system configuration, you can use the key and certificate as part of a client SSL profile. This task describes using the browser interface. Alternatively, you can use the Traffic Management Shell (tmsh) command-line utility.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Client .
    The Client screen opens.
  2. Click Create.
    The New Client SSL Profile screen opens.
  3. In the Name field, type a name for the profile.
  4. From the Parent Profile list, select clientssl.
  5. From the Configuration list, select Advanced.
    This selection makes it possible for you to modify additional default settings.
  6. For the Configuration area, select the Custom check box.
    The settings in the Configuration area become available for modification.
  7. Using the Certificate Key Chain setting, specify one or more certificate key chains:
    1. From the Certificate list, select the name of a certificate that you imported.
    2. From the Key list, select the name of the key that you imported.
    3. From the Chain list, select the chain that you want to include in the certificate key chain.
    4. Click Add.
  8. Click Finished.
After you have created the client SSL profile, you must assign the profile to a virtual server, so that the virtual server can process SSL traffic according to the specified profile settings.