When you first deploy an F5 load balancer in your network, a self-signed device digital certificate is generated and stored on the F5-BIGIP appliance. While this is ok and works perfectly fine, it is not ideal in a production environment.
In this blog I will show you how to add your own Digital Certificate on a F5-BIG-IP load balancer device. The process involves three steps:
- Generate the Certificate Signing Request (CSR) – this is done on the F5-BIGIP appliance
- Pass the CSR to a Certificate Authority (CA) for signing; at the end of this process, a digital certificate is issued
- Import the digital certificate on the appliance
The digital certificate we will be adding here is called a Device Digital Certificate. These will be used, for instance, to establish a secure communication channel between two devices in an HA pair. It is also used in the authentication process when logging in to manage the appliance.
STEP 1: Generate the Certificate Signing Request (CSR)
You need to generate your Certificate Signing Request – this is like the F5’s encrypted identification document. You would then provide this document to a certification authority which validates (certifies) the document making it valid and trustworthy to the outside world.
In your web GUI go to System > Device Certificates > Device Certificate > Renew
Next, you need to make sure you change the issuer to be a Certificate Authority and populate the remaining fields to something that makes sense – below is what I used:
Click Finished button.
STEP 2: Issue the digital certificate
For this step, I’ll use my local CA running on a Windows 2k3 Server.
Open the Certification Authority snap-in and right-click the root of the tree, choose All-Tasks > Submit new request …
Next, you will have to select the filename saved at the end of step (1) above. In this case, this will be the server.csr filename. You should now have a pending request; right-click on the request and Issue the digital certificate.
On the left panel, go to Issued Certificates, identify your certificate and Export the Binary Data:
At the end of this process, you should have a digital certificate binary file. We will use this file next to import the digital certificate.
STEP 3: Import the Digital Certificate to the F5-BIGIP appliance
Connect back to you F5 and import the certificate; go to System > Device Certificates > Device Certificate > Import.
On the next screen, browse to the location where you previously exported the Digital Certificate binary file, select it an click Import:
Lastly, to verify successful installation of the digital certificate, logout and log back in … accept the certificate and click the little padlock shown in your browser in order to display the digital certificate used to encrypt the login session. Here is what I get on my Safari browser:
Notice the error message – this is only because my Certificate Authority is not a publicly recognised one. I could however manually add this certificate in my trusted root certificate folder and this error would be gone.
Rafael A. Couto Cabral • LinkedIn Profile
Cisco | F5 | VMware Certified • PRINCE2 Practitioner
Originally posted 2017-10-05 10:45:36.