K14534: Creating SSL certificates and keys with OpenSSL (11.x - 13.

x)

Non-Diagnostic

Original Publication Date: Aug 2, 2013

Update Date: Apr 19, 2018

Topic

This article applies to BIG-IP 11.x - 13.x. For information about other versions, refer to the following article:

K7388: Creating SSL certificates and keys with OpenSSL (9.x - 10.x)

You should consider using this procedure under any of the following conditions:

You want to generate a new Secure Sockets Layer (SSL) private key and Certificate Signing Request
(CSR).
You want to generate a CSR using an existing SSL private key.
You want to generate new SSL private key and self-signed certificate.
You want to generate a self-signed certificate using an existing SSL private key.

Description

You can use the openssl command to create and manage SSL private keys, CSRs, and self-signed
certificates. While the openssl commands are the same as those in BIG-IP 10.x, the installation methods
and working directories for the SSL private keys, CSRs, and certificates have changed. Beginning in BIG-IP
11.x, you must install SSL private keys and certificates into the BIG-IP system filestore using the Traffic
Management Shell (tmsh) before they can be referenced by an SSL profile.

There are benefits to generating a new SSL private key when renewing your SSL certificates. Since SSL
keys and certificates apply to specific websites and are typically valid for one or two years, it may be easier
to manage their renewal by including the website's domain name and the current year in the file name.
Additionally, some third-party Certificate Authorities (CA) may require that a new SSL private key be
generated with each new CSR.

Prerequisites

You must meet the following prerequisites to use this procedure:

You are familiar with using the openssl command.

You have command line access to the BIG-IP system.

Procedures

Generating a new CSR and a new SSL private key

Generating a new CSR using an existing SSL private key
 Generating a new self-signed certificate and a new SSL private key
Generating a new self-signed certificate using an existing SSL private key

Impact of procedures: Performing the following procedure should not have a negative impact on your
system.

Generating a new CSR and a new SSL private key

You can perform this procedure when requesting a new SSL certificate from a CA, or when renewing an
existing CA signed SSL certificate.

1. Log in to the BIG-IP command line.

2. To generate a new SSL private key, use the following command syntax:

openssl genrsa -out <key_path_and_name> <keysize>

For example, the following command generates a new 2048-bit SSL private key in the /config/ssl/ssl.
key/ directory named f5test.com_2013.key:

openssl genrsa -out /config/ssl/ssl.key/f5test.com_2015.key 2048

Note: To add a password to the key for extra security, refer to K14912: Adding and removing
encryption from private SSL keys (11.x - 13.x).

3. Generate a new CSR using the following command syntax. The OpenSSL req command will prompt
you to enter certificate attributes:

openssl req -new -key <key_path_and_name> -out <csr_path_and_name> <digest>

Note: Beginning in 11.5.0, the BIG-IP configuration utility generates a new CSR using the SHA2
digest. Add the digest option when using openssl req to use SHA2.

11.5.0 and later:

The following command generates a new CSR in the /config/ssl/ssl.csr/ directory named f5test.
com_2015.csr, using the SSL private key named f5test.com_2015.key using a SHA2 digest:

openssl req -new -key /config/ssl/ssl.key/f5test.com_2015.key -out /config/ssl/ssl.csr/f5test.

com_2015.csr -sha256

11.0.0 to 11.4.1:

The following command generates a new CSR in the /config/ssl/ssl.csr/ directory named f5test.
com_2015.csr, using the SSL private key named f5test.com_2015.key using a SHA1 digest:

openssl req -new -key /config/ssl/ssl.key/f5test.com_2015.key -out /config/ssl/ssl.csr/f5test.

com_2015.csr

4. Submit the CSR you generated in the previous step to your CA to obtain a new SSL certificate.
 4.

Note: Some CAs have an online CSR verification tool that you can use to verify the CSR before
submitting it. For example:

http://www.thawte.nl/en/support/test+your+csr/

5. Once you have received the new SSL certificate, copy it to the /config/ssl/ssl.crt/ directory.
6. To install the new SSL private key and certificate into the BIG-IP filestore, use the following command
syntax:

tmsh install /sys crypto key <key_name> from-local-file <key_path_and_name>

tmsh install /sys crypto cert <cert_name> from-local-file <cert_path_and_name>

For example, the following commands install the SSL private key and certificate generated in the
previous steps:

tmsh install /sys crypto key f5test.com_2015.key from-local-file /config/ssl/ssl.key/f5test.com_2015.key

tmsh install /sys crypto cert f5test.com_2015.crt from-local-file /config/ssl/ssl.crt/f5test.com_2015.crt

7. Save the configuration by typing the following command:

tmsh save /sys config

8. The SSL private key and certificate can now be associated with an SSL profile.

Generating a new CSR using an existing SSL private key

You can use this procedure when renewing an SSL certificate using an existing SSL private key.

Note: In creating the examples in this section, F5 assumes that the existing SSL private keys and
certificates were created following the Generating a new SSL private key and CSR section.

Note: A copy of the existing SSL private key will be created in the filestore using the current year in the
filename.

1. Log in to the BIG-IP command line.

2. Generate a new CSR using the following command syntax. The openssl req command will prompt
you to enter certificate attributes:

openssl req -new -key <key_path_and_name> -out <csr_path_and_name> <digest>

Note: Beginning in 11.5.0, the BIG-IP Configuration utility generates a new CSR using a SHA2 digest.
Add the digest option when using openssl req to use SHA2.

11.5.0 and later:

For example, the following command generates a new CSR in the /config/ssl/ssl.csr/ directory
named f5test.com_2014.csr, reusing the SSL private key named f5test.com_2014.key using an
SHA2 digest:
 openssl req -new -key /config/ssl/ssl.key/f5test.com_2014.key -out /config/ssl/ssl.csr/f5test.
com_2015.csr -sha256

11.0.0 - 11.5.0:

For example, the following command generates a new CSR in the /config/ssl/ssl.csr/ directory
named f5test.com_2014.csr, reusing the SSL private key named f5test.com_2014.key using an
SHA1 digest:

openssl req -new -key /config/ssl/ssl.key/f5test.com_2014.key -out /config/ssl/ssl.csr/f5test.

com_2015.csr

3. Submit the CSR you generated in the previous step to a CA to renew your SSL certificate.

Note: Some CAs will have an online CSR verification tool that you can use to verify the CSR before
submitting it. For example:

http://www.thawte.nl/en/support/test+your+csr/

4. Once you have received the new signed SSL certificate, copy it to the /config/ssl/ssl.crt/ directory.
5. To install the existing SSL private key and new SSL certificate into the BIG-IP filestore, use the
following command syntax:

tmsh install /sys crypto key <key_name> from-local-file <key_path_and_name>

tmsh install /sys crypto cert <cert_name> from-local-file <cert_path_and_name>

For example, the following commands install the existing SSL private key, and the certificate
generated in the previous steps:

tmsh install /sys crypto key f5test.com_2015.key from-local-file /config/ssl/ssl.key/f5test.com_2014.key

tmsh install /sys crypto cert f5test.com_2015.crt from-local-file /config/ssl/ssl.crt/f5test.com_2015.crt

6. Save the configuration by typing the following command:

tmsh save /sys config

7. The SSL private key and certificate can now be associated with an SSL profile.

Generating a new SSL private key and self-signed certificate

1. Log in to the BIG-IP command line.

2. To generate a new SSL private key and self-signed certificate, use the following command syntax:

openssl req -x509 -nodes -newkey rsa:<keysize> -keyout <key_path_and_name> -out

<cert_path_and_name> -days <# of days>
 For example, the following command generates a new 2048-bit SSL private key in the /config/ssl/ssl.
key/ directory named f5test.com_self-signed_2015.key, and a self-signed certificate in the /config/ssl
/ssl.crt/ directory named f5test.com_self-signed_2015.crt:

openssl req -x509 -nodes -newkey rsa:2048 -keyout /config/ssl/ssl.key/f5test.com_self-signed_2015.

key -out /config/ssl/ssl.crt/f5test.com_self-signed_2015.crt -days 365

Note: The -nodes option removes the passphrase prompt for the key. If you want to add a passphrase
to the key for extra security, refer to K14912: Adding and removing encryption from private SSL keys
(11.x - 12.x).

3. To install the new SSL private key and self-signed certificate in the BIG-IP filestore, use the following
command syntax:

tmsh install /sys crypto key <key_name> from-local-file <key_path_and_name>

tmsh install /sys crypto cert <cert_name> from-local-file <cert_path_and_name>

For example, to install the SSL private key and self-signed certificate generated in the previous steps:

tmsh install /sys crypto key f5test.com_self-signed_2015.key from-local-file /config/ssl/ssl.key/f5test.

com_self-signed_2015.key

tmsh install /sys crypto cert f5test.com_self-signed_2015.crt from-local-file /config/ssl/ssl.crt/f5test.

com_self-signed_2015.crt

4. The SSL private key and self-signed certificate can now be associated with an SSL profile.

Generating a new self-signed certificate using an existing SSL private key

Note: In creating the examples in this section, F5 assumes that the existing SSL private keys and
certificates were created following the Generating a self-signed certificate and a new SSL private key
section.

Note: A copy of the existing SSL private key will be created in the filestore (/config/filestore/files_d
/Common_d/certificate_key_d/<filename>) using the current year in the filename.

1. Log in to the BIG-IP command line.

2. To generate a new self-signed certificate using an existing SSL private key, use the following
command syntax:

openssl req -new -key <key_path_and_name> -x509 -days <# of days> -out <cert_path_and_name>

For example, the following command generates a new self-signed certificate in the /config/ssl/ssl.csr/
directory named f5test.com_self-signed_2015.crt, reusing the existing SSL private key named f5test.
com_self-signed_2014.key:
 openssl req -new -key /config/ssl/ssl.key/f5test.com_self-signed_2014.key -x509 -days 365 -out /config
/ssl/ssl.crt/f5test.com_self-signed_2015.crt

Note: The -nodes option removes the passphrase prompt for the key. If you want to add a passphrase
to the key for extra security, refer to K14912: Adding and removing encryption from private SSL keys
(11.x - 12.x).

3. To install the new SSL private key and self-signed certificate in the BIG-IP filestore, use the following
command syntax:

tmsh install /sys crypto key <key_name> from-local-file <key_path_and_name>

tmsh install /sys crypto cert <cert_name> from-local-file <cert_path_and_name>

For example, to install the existing SSL private key, and the self-signed certificate generated in the
previous steps:

tmsh install /sys crypto key f5test.com_self-signed_2015.key from-local-file /config/ssl/ssl.key/f5test.

com_self-signed_2014.key

tmsh install /sys crypto cert f5test.com_self-signed_2015.crt from-local-file /config/ssl/ssl.crt/f5test.

com_self-signed_2015.crt

4. You can now associate the SSL private key and certificate with an SSL profile

Supplemental Information

K17379: Managing BIG-IP SSL certificates and keys