The following instructions detail how to request, install, and update signed SSL/TLS certificates from SSL.com on F5 BIG-IP systems, using the Configuration Utility.
Requesting a Signed Certificate from SSL.com
To generate a certificate signing request (CSR) using BIG-IP’s Configuration tool, follow these steps:
- On the Main tab, navigate to the SSL Certificate List screen:
- BIG-IP 13.x and later: System > Certificate Management > Traffic Certificate Management > SSL Certificate List
- BIG-IP 12.x and earlier: System > File Management > SSL Certificate List
- Click Create.
- Type a unique name for the SSL certificate in the Name field. This is the name that will be used internally by BIG-IP.
- From the Issuer list, select Certificate Authority.
- In the Common Name field, type the Fully Qualified Domain Name (FQDN) of the website this certificate will protect. Depending on the certificate type, this may be a wildcard, such as
*.example.com
. - In the Division and Organization fields, enter your department (optional) and organization names.
- Enter your city, state (or province), and country in the Locality, State or Province, and Country fields. All of these fields are mandatory.
- (Optional) In the E-mail Address field, type an email address.
- Enter the duration of the certificate (in days) in the Lifetime field. The range of possible values of this field vary depending on the type of certificate you are requesting.
- For SAN certificates, also known as UCCs, use the Subject Alternative Name field to enter this information. For more information on ordering a UCC from SSL.com, see this How-To.
- (Optional) In the Challenge Password field, type a password, then re-type it in the Confirm Password field.
- Configure the desired key type and size under Key Properties.
- If the BIG-IP system supports the FIPS hardware security module, specify the key type as FIPS or Normal.
- Click Finished.
- Copy the certificate from the Request Text field, or click the Request File button.
- Follow SSL.com’s instructions to submit the CSR for validation.
- Click Finished.
Importing a Signed Certificate
- On the Main tab, navigate to the SSL Certificate List screen:
- BIG-IP 13.x and later: System > Certificate Management > Traffic Certificate Management > SSL Certificate List
- BIG-IP 12.x and earlier: System > File Management > SSL Certificate List
- Click the Import button.
- From the Import Type list, select Certificate.
- For the Certificate Name setting, select the Overwrite Existing option, and click on the name of the pending request (the Name field from the CSR generation process).
- For the Certificate Source setting, select the Upload File option, then browse to the location of the certificate file. Alternately, you may use the Paste Text option to paste in the certificate text. In either case, make sure that the file includes the
BEGIN CERTIFICATE
andEND CERTIFICATE
lines and does not contain extraneous whitespace or characters. The certificate should look something like this:
-----BEGIN CERTIFICATE----- [data] -----END CERTIFICATE-----
- Click Import to install the certificate.
The signed certificate has now been installed. After installing the certificate, it must be associated with the appropriate client SSL profile (see F5’s documentation on client SSL profiles for more information on configuring these). You can view a list of certificates installed on the BIG-IP system at any time by navigating to the SSL Certificate List.
Renewing a Signed Certificate
When renewing a signed SSL certificate, it is strongly recommended by both SSL.com and F5 Networks that you generate a new private key and CSR on your BIG-IP system. This How-To covers SSL/TLS certificate renewal at SSL.com.