My Support
  1. AskF5 Home
  2. Knowledge Centers
  3. BIG-IP LTM
  4. BIG-IP Platform: FIPS Administration
  5. Key Management
Manual Chapter : Key Management

Applies To:

Show Versions Show Versions

BIG-IP DNS

  • 12.1.2, 12.1.1, 12.1.0

BIG-IP AFM

  • 12.1.2, 12.1.1, 12.1.0, 11.6.4, 11.6.3, 11.6.2, 11.6.1, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP ASM

  • 12.1.2, 12.1.1, 12.1.0, 11.6.4, 11.6.3, 11.6.2, 11.6.1, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP AAM

  • 12.1.2, 12.1.1, 12.1.0, 11.6.4, 11.6.3, 11.6.2, 11.6.1, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP APM

  • 12.1.2, 12.1.1, 12.1.0, 11.6.4, 11.6.3, 11.6.2, 11.6.1, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP GTM

  • 11.6.4, 11.6.3, 11.6.2, 11.6.1, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2

BIG-IP LTM

  • 12.1.2, 12.1.1, 12.1.0, 11.6.4, 11.6.3, 11.6.2, 11.6.1, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

Key Management

About managing FIPS keys using the BIG-IP Configuration utility

You can use the BIG-IP® Configuration utility to create FIPS keys, import existing FIPS keys into a hardware security module (HSM), and convert existing keys into FIPS keys.

Existing FIPS keys (.exp files) can only be imported into an HSM that possesses the same Master Symmetric key used when the FIPS keys were exported. The Symmetric Master Key is used to encrypt SSL private keys as they are exported from an HSM. Therefore, only the same Master Symmetric key can be used to decrypt the SSL private keys as they are imported into the HSM.

Note: Import of FIPS keys is supported if the BIG-IP system uses the same Master Symmetric key that was used to export the FIPS keys.

Creating FIPS keys using the BIG-IP Configuration utility

You can use the BIG-IP® Configuration utility to create FIPS keys.
  1. On the Main tab, click System > File Management > SSL Certificate List .
    This displays the list of certificates installed on the system.
  2. Click Create.
    The New SSL Certificate screen opens.
  3. In the Name field, type a unique name for the certificate.
  4. From the Issuer list, specify the type of certificate that you want to use.
    • To request a certificate from a CA, select Certificate Authority.
    • For a self-signed certificate, select Self.
  5. Configure the Common Name setting and any other settings as needed.
  6. In the Key Properties area, select a key size from the Size list.
  7. From the Security Type list, select FIPS.
  8. Click Finished.

Importing keys using the BIG-IP Configuration utility

You can use the BIG-IP® Configuration utility to import existing keys into the system.
  1. On the Main tab, click System > File Management > SSL Certificate List .
    This displays the list of certificates installed on the system.
  2. Click Import.
  3. From the Import Type list, select Key.
  4. For the Key Name setting, click Create New.
  5. In the Key Name field, type a name for the key.
  6. From the Key Source setting, click either Upload File or Paste Text.
    • If you click Upload File, type a file name or click Browse and select a file.
    • If you click Paste Text, copy the text from another source and paste the text into the Key Source screen.
  7. Click Import.
After you import the key, you can convert it to a FIPS key.

Converting a key to FIPS using the BIG-IP Configuration utility

You can use the BIG-IP® Configuration utility to convert an existing key to a FIPS key.
  1. On the Main tab, click System > File Management > SSL Certificate List .
    This displays the list of certificates installed on the system.
  2. Click a certificate name.
    This displays the properties of that certificate.
  3. On the menu bar, click Key.
    This displays the type and size of the key associated with the certificate.
  4. Click Convert to FIPS to convert the key to a FIPS key.
    The key is converted and appears in the list as a FIPS key. After the key is converted, this process cannot be reversed.

About managing FIPS keys using tmsh

You can use the Traffic Management Shell (tmsh) to create FIPS keys, import existing keys into a BIG-IP® system, and convert existing keys to FIPS keys.

Creating FIPS keys using tmsh

You can use the Traffic Management Shell (tmsh) to create FIPS keys.
  1. Log in to the command line of the system using an account with root access.
  2. Open the TMOS Shell (tmsh).
    tmsh
  3. Create a basic key.
    create sys crypto key <key_object_name> security-type fips
    For information about additional options for this command, view the sys crypto key man page: help sys crypto key
    Note: The key creation process takes a few minutes to complete.
  4. Optional: View information about the generated key.
    list sys crypto key <key_object_name>

Importing FIPS keys using tmsh

You can use the Traffic Management Shell (tmsh) to import existing keys into the system.
  1. Log in to the command line of the system using an account with root access.
  2. Open the TMOS Shell (tmsh).
    tmsh
  3. Import a key.
    install sys crypto key <key_object_name> from-local-file <path_to_key_file> security-type fips
    This example imports a FIPS key named mykey from a local key file stored in the /shared/tmp directory: install sys crypto key mykey from-local-file /shared/tmp/mykey.exp security-type fips

Converting a key to FIPS using tmsh

You can use the Traffic Management Shell (tmsh) to convert a key to a FIPS key.
  1. Log in to the command line of the system using an account with root access.
  2. Open the TMOS Shell (tmsh).
    tmsh
  3. Convert an existing key to FIPS.
    install sys crypto key <key_object_name> from-local-file <key_file_path> security-type fips

Listing FIPS keys in the HSM using tmsh

You can use the Traffic Management Shell (tmsh) to list the FIPS keys in the hardware security module (HSM).
  1. Log in to the command line of the system using an account with root access.
  2. Open the TMOS Shell (tmsh).
    tmsh
  3. List the keys in the HSM.
    tmsh show sys crypto fips
    A summary similar to this example displays: 
                                  
-------------------------------------------
FIPS 140 Hardware Device
-------------------------------------------
=== private keys (2)
HANDLE            LABEL MOD.LEN(bits)
    6   Common/testkey1.key       2048
    7   /Common/testkey2.key        1024
=== public keys (2)
HANDLE            LABEL MOD.LEN(bits)
    8   Common/testkey1.key       2048
    9   /Common/testkey2.key        1024

Listing FIPS keys in the BIG-IP configuration using tmsh

You can use the Traffic Management Shell (tmsh) to list the FIPS keys in the BIG-IP® configuration.
  1. Log in to the command line of the system using an account with root access.
  2. Open the TMOS Shell (tmsh).
    tmsh
  3. List the keys in the hardware security module (HSM).
    tmsh list sys crypto key
    A summary similar to this example displays: 
                                  
sys crypto key default.key {
    key-size 1024
    key-type rsa-private
    security-type normal
}
sys crypto key testkey2.key {
    fips-handle 7
    key-size 1024
    key-type rsa-private
    security-type fips
}
sys crypto key testkey1.key {
    fips-handle 6
    key-size 2048
    key-type rsa-private
    security-type fips
}

Deleting a key from the BIG-IP configuration and HSM using tmsh

You can use the Traffic Management Shell (tmsh) to delete a key from the BIG-IP® configuration and the hardware security module (HSM).
  1. Log in to the command line of the system using an account with root access.
  2. Open the TMOS Shell (tmsh).
    tmsh
  3. Delete a specified key.
    delete sys crypto key <key_object_name>

Supported FIPS key sizes

These are the supported key sizes for BIG-IP® FIPS platforms.

FIPS platform Supported key sizes (bits)
5000 1024/2048, 4096
6900 1024, 2048
7000 1024/2048, 4096
8900 1024, 2048
10200 1024/2048, 4096
10350 2048
11000 1024/2048, 4096
11050 1024/2048, 4096

Additional FIPS platform management tmsh commands

This table lists additional tmsh commands that you can use to manage your FIPS platform.

Command Description
show sys crypto fips Lists keys in the FIPS card.
list sys crypto key Lists keys in the BIG-IP® configuration.
delete sys crypto key <key_object_name> Deletes a key from the BIG-IP configuration and the FIPS card.
delete sys crypto fips by-handle <key_handle> Deletes a key from the FIPS card only. Key handles are obtained using the show sys crypto fips command sequence.
CAUTION:
Use this command sequence only in the rare circumstance when you need to delete keys that no longer have configuration objects from the card (for example, keys that do not show up when you run the list sys crypto key command sequence).
Table of Contents | << Previous Chapter | Next Chapter >>

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks

©2019 F5 Networks, Inc. All rights reserved.

Policies Privacy Trademarks