x)
Non-Diagnostic
Topic
This article applies to BIG-IP 11.x - 13.x. For information about other versions, refer to the following article:
K7388: Creating SSL certificates and keys with OpenSSL (9.x - 10.x)
You should consider using this procedure under any of the following conditions:
You want to generate a new Secure Sockets Layer (SSL) private key and Certificate Signing Request
(CSR).
You want to generate a CSR using an existing SSL private key.
You want to generate new SSL private key and self-signed certificate.
You want to generate a self-signed certificate using an existing SSL private key.
Description
You can use the openssl command to create and manage SSL private keys, CSRs, and self-signed
certificates. While the openssl commands are the same as those in BIG-IP 10.x, the installation methods
and working directories for the SSL private keys, CSRs, and certificates have changed. Beginning in BIG-IP
11.x, you must install SSL private keys and certificates into the BIG-IP system filestore using the Traffic
Management Shell (tmsh) before they can be referenced by an SSL profile.
There are benefits to generating a new SSL private key when renewing your SSL certificates. Since SSL
keys and certificates apply to specific websites and are typically valid for one or two years, it may be easier
to manage their renewal by including the website's domain name and the current year in the file name.
Additionally, some third-party Certificate Authorities (CA) may require that a new SSL private key be
generated with each new CSR.
Prerequisites
Procedures
Impact of procedures: Performing the following procedure should not have a negative impact on your
system.
You can perform this procedure when requesting a new SSL certificate from a CA, or when renewing an
existing CA signed SSL certificate.
For example, the following command generates a new 2048-bit SSL private key in the /config/ssl/ssl.
key/ directory named f5test.com_2013.key:
Note: To add a password to the key for extra security, refer to K14912: Adding and removing
encryption from private SSL keys (11.x - 13.x).
3. Generate a new CSR using the following command syntax. The OpenSSL req command will prompt
you to enter certificate attributes:
Note: Beginning in 11.5.0, the BIG-IP configuration utility generates a new CSR using the SHA2
digest. Add the digest option when using openssl req to use SHA2.
The following command generates a new CSR in the /config/ssl/ssl.csr/ directory named f5test.
com_2015.csr, using the SSL private key named f5test.com_2015.key using a SHA2 digest:
11.0.0 to 11.4.1:
The following command generates a new CSR in the /config/ssl/ssl.csr/ directory named f5test.
com_2015.csr, using the SSL private key named f5test.com_2015.key using a SHA1 digest:
4. Submit the CSR you generated in the previous step to your CA to obtain a new SSL certificate.
4.
Note: Some CAs have an online CSR verification tool that you can use to verify the CSR before
submitting it. For example:
http://www.thawte.nl/en/support/test+your+csr/
5. Once you have received the new SSL certificate, copy it to the /config/ssl/ssl.crt/ directory.
6. To install the new SSL private key and certificate into the BIG-IP filestore, use the following command
syntax:
For example, the following commands install the SSL private key and certificate generated in the
previous steps:
8. The SSL private key and certificate can now be associated with an SSL profile.
You can use this procedure when renewing an SSL certificate using an existing SSL private key.
Note: In creating the examples in this section, F5 assumes that the existing SSL private keys and
certificates were created following the Generating a new SSL private key and CSR section.
Note: A copy of the existing SSL private key will be created in the filestore using the current year in the
filename.
Note: Beginning in 11.5.0, the BIG-IP Configuration utility generates a new CSR using a SHA2 digest.
Add the digest option when using openssl req to use SHA2.
For example, the following command generates a new CSR in the /config/ssl/ssl.csr/ directory
named f5test.com_2014.csr, reusing the SSL private key named f5test.com_2014.key using an
SHA2 digest:
openssl req -new -key /config/ssl/ssl.key/f5test.com_2014.key -out /config/ssl/ssl.csr/f5test.
com_2015.csr -sha256
11.0.0 - 11.5.0:
For example, the following command generates a new CSR in the /config/ssl/ssl.csr/ directory
named f5test.com_2014.csr, reusing the SSL private key named f5test.com_2014.key using an
SHA1 digest:
3. Submit the CSR you generated in the previous step to a CA to renew your SSL certificate.
Note: Some CAs will have an online CSR verification tool that you can use to verify the CSR before
submitting it. For example:
http://www.thawte.nl/en/support/test+your+csr/
4. Once you have received the new signed SSL certificate, copy it to the /config/ssl/ssl.crt/ directory.
5. To install the existing SSL private key and new SSL certificate into the BIG-IP filestore, use the
following command syntax:
For example, the following commands install the existing SSL private key, and the certificate
generated in the previous steps:
7. The SSL private key and certificate can now be associated with an SSL profile.
Note: The -nodes option removes the passphrase prompt for the key. If you want to add a passphrase
to the key for extra security, refer to K14912: Adding and removing encryption from private SSL keys
(11.x - 12.x).
3. To install the new SSL private key and self-signed certificate in the BIG-IP filestore, use the following
command syntax:
For example, to install the SSL private key and self-signed certificate generated in the previous steps:
4. The SSL private key and self-signed certificate can now be associated with an SSL profile.
Note: In creating the examples in this section, F5 assumes that the existing SSL private keys and
certificates were created following the Generating a self-signed certificate and a new SSL private key
section.
Note: A copy of the existing SSL private key will be created in the filestore (/config/filestore/files_d
/Common_d/certificate_key_d/<filename>) using the current year in the filename.
openssl req -new -key <key_path_and_name> -x509 -days <# of days> -out <cert_path_and_name>
For example, the following command generates a new self-signed certificate in the /config/ssl/ssl.csr/
directory named f5test.com_self-signed_2015.crt, reusing the existing SSL private key named f5test.
com_self-signed_2014.key:
openssl req -new -key /config/ssl/ssl.key/f5test.com_self-signed_2014.key -x509 -days 365 -out /config
/ssl/ssl.crt/f5test.com_self-signed_2015.crt
Note: The -nodes option removes the passphrase prompt for the key. If you want to add a passphrase
to the key for extra security, refer to K14912: Adding and removing encryption from private SSL keys
(11.x - 12.x).
3. To install the new SSL private key and self-signed certificate in the BIG-IP filestore, use the following
command syntax:
For example, to install the existing SSL private key, and the self-signed certificate generated in the
previous steps:
4. You can now associate the SSL private key and certificate with an SSL profile
Supplemental Information