Topic
This article applies to BIG-IP 11.x through 14.x. For information about other versions, refer to the following article:
You should consider using this procedure under the following conditions:
- You want to create a local trusted Certificate Authority (CA) certificate and key.
- You want to create a client certificate that is signed by the local trusted CA.
Description
You can use the following procedures to create a local trusted CA. The local trusted CA allows you to create and sign client certificates that can be used to establish secure communication with the server. You can then configure a virtual server and Client SSL profile on the BIG-IP system to request or require client certificates. The trusted CA certificate validates the client certificate requests.
Prerequisites
You must meet the following prerequisite to use this procedure:
- You have root user shell access on the BIG-IP command line.
Procedures
- Creating a CA root key and CA certificate
- Creating and signing a client certificate
- Importing a trusted CA certificate and key
- Applying the certificates and keys to a Client SSL profile
- Converting a client certificate to PKCS12
Note: In the following procedures, F5 assumes that you have already created the directory represented as /shared/exampleCA.
Creating a trusted CA key and certificate
Impact of procedure: Performing the following procedure should not have a negative impact on your system.
- Generate a random number file by using the following command syntax:
openssl rand -out <Directory-Path>/<Random-Number-Filename> <Size-to-seed-the-Random-Number>
For example, to generate a random number with the /shared/exampleCA/.rand file using a 2048 byte size, type the following command:
openssl rand -out /shared/exampleCA/.rand 2048
- Generate a CA key by using the following command syntax:
openssl genrsa -rand <Directory-Path>/<Random-Number-Filename> -out <Directory-Path>/<CA-Key-Filename> <Key-Strength: Number-of-bits>
For example, to create the clientCA.key CA key by using the /shared/exampleCA/.rand random number file and the key size of 2048 bits, type the following command:
openssl genrsa -rand /shared/exampleCA/.rand -out /shared/exampleCA/clientCA.key 2048
- Generate a CA certificate by using the following command syntax:
openssl req -x509 -new -key <Directory-Path>/<CA-Key-Filename> -out <Directory-Path>/<CA-Cert-Filename> -days <Number-of-Days>
For example, to generate a clientCA.crt CA certificate of type x509, using the clientCA.key key that is valid for 7300 days, type the following command:
openssl req -x509 -new -key /shared/exampleCA/clientCA.key -out /shared/exampleCA/clientCA.crt -days 7300
Creating and signing a client certificate
Complete the following procedure to create and sign a certificate using the trusted CA.
Impact of procedure: Performing the following procedure should not have a negative impact on your system.
- Create a client certificate key by using the following command syntax:
openssl genrsa -rand <Directory-Path>/<Random-Number-Filename> -out <Directory-Path>/<Client-Certificate-Key-Filename> <Key-Strength-in-Bits>
For example, to create a client1.key client certificate key by using the /shared/exampleCA/.rand random number file and the key size of 2048 bits, type the following command:
openssl genrsa -rand /shared/exampleCA/.rand -out /shared/exampleCA/client1.key 2048
- Create a client certificate signing request (CSR) by using the following command syntax:
openssl req -new -out <Directory-Path>/<Client-CSR-Filename> -key <Directory-Path>/<Client-Certificate-Key-Filename>
For example, to create a client1.req client CSR by using the client1.key client certificate key, type the following command:
openssl req -new -out /shared/exampleCA/client1.req -key /shared/exampleCA/client1.key
- Create and sign the client certificate by using the following command syntax:
openssl x509 -req -in <Directory-Path>/<Client-Certificate-Request-Filename> -out <Directory-Path>/<Client-Certificate-Filename> -CAkey <Directory-Path>/<CA-Key-Filename> -CA <Directory-Path>/<CA-Cert-Filename> -days <Number-of-Days> -CAcreateserial -CAserial serial
For example, to create the client1.crt client certificate that is valid for 365 days by using the client1.req client certificate request, and sign it with the clientCA.key CA key and clientCA.crt CA cert, type the following command:
openssl x509 -req -in /shared/exampleCA/client1.req -out /shared/exampleCA/client1.crt -CAkey /shared/exampleCA/clientCA.key -CA /shared/exampleCA/clientCA.crt -days 365 -CAcreateserial -CAserial serial
Importing a trusted CA certificate and key
Complete the following procedure to import the trusted CA certificate and key into the BIG-IP system's file store, so that these items can be applied to the Client SSL profile later.
Impact of procedure: Performing the following procedure should not have a negative impact on your system.
- Log in to the Traffic Management Shell (tmsh) by typing the following command:
tmsh
- To manage the system cryptographic certificates and keys, enter the module by typing the following command:
/sys crypto
- To install the trusted CA certificate from a file, use the following command syntax:
install cert <CA-Certificate-Name> from-local-file <Directory-Path>/<Certificate-Filename>
For example, to install the certificate file from /shared/exampleCA/clientCA.crt using the certificate name clientCA-cert, type the following command:
install cert clientCA-cert from-local-file /shared/exampleCA/clientCA.crt
- To install the key from a file, use the following command syntax:
install key <Key-Name> from-local-file <Directory-Path>/<Key-Filename>
For example, to install the key file from /shared/exampleCA/clientCA.key by using the key name clientCA-key, type the following command:
install key clientCA-key from-local-file /shared/exampleCA/clientCA.key
- To save the configuration, type the following command:
save /sys config
- To exit the tmsh utility, type quit, and then press the Enter key.
Applying the certificates and keys to a Client SSL profile
Complete the following procedure to apply the Client SSL certificate and key and the trusted CA certificate to a Client SSL profile.
Impact of procedure: Performing the following procedure should not have a negative impact on your system.
- Log in to the Traffic Management Shell (tmsh) by typing the following command:
tmsh
- To create the Client SSL profile, use the following command syntax:
create /ltm profile client-ssl <ClientSSL-Profile-Name> ca-file <Trusted-CA-Certificate-Name> client-cert-ca <Trusted-CA-Certificate-Name> cert <Site-Certificate-Name> key <Site-Key-Name> peer-cert-mode require
For example, to create a new sample-clientssl Client SSL profile by using the client1-cert client certificate, the client key client1-key, require client certificate mode, and the trusted CA and Advertised Certificate Authorities is clientCA-cert, type the following command:
create /ltm profile client-ssl sample-clientssl ca-file clientCA-cert.crt client-cert-ca clientCA-cert.crt cert site-cert.crt key site-key.key peer-cert-mode require
Note: The site-cert.crt and site-key.key are the certificate/key files that are valid for the site that is being hosted. These files must be signed by a CA (if you need signed certificates) or generated and assigned if you want self-signed certificates.
- To save the configuration, type the following command:
save /sys config
- To exit the tmsh utility, type quit, and then press the Enter key.
Converting a client certificate to PKCS12
The client certificate and key must be converted to the PKCS12 format before getting imported into a client desktop's browser. To perform this conversion, complete the following procedure:
Impact of procedure: Performing the following procedure should not have a negative impact on your system.
- Log in to the BIG-IP command line.
- To convert a certificate to the PKCS12 format, use the following command syntax:
openssl pkcs12 -export -in <Directory-Path>/<Client-Certificate-Filename> -inkey <Directory-Path>/<Client-Key-Filename> -out <Directory-Path>/<Client-PKCS12-Filename> -name "<PKCS12-Name>"
For example, to convert the /shared/exampleCA/client1.crt certificate with the /shared/exampleCA/client1.key key to the PKCS12 file named client1.p12, type the following command:
openssl pkcs12 -export -in /shared/exampleCA/client1.crt -inkey /shared/exampleCA/client1.key -out /shared/exampleCA/client1.p12
- Use SCP to copy the /shared/exampleCA/client1.p12 file from the BIG-IP system and import it to any client desktop's browser that is required to perform secured layer communication with the BIG-IP virtual server that uses the previously-created Client SSL profile.
Supplemental Information
- K14783: Overview of the Client SSL profile (11.x - 12.x)
- K14806: Overview of the Server SSL profile (11.x - 12.x)
- K14620: Managing SSL certificates for BIG-IP systems using the Configuration utility
Feedback? Login to give feedback on this article.