Adding a Custom Device Digital Certificate on the F5-BIGIP

When you first deploy an F5 load balancer in your network, a self-signed device digital certificate is generated and stored on the F5-BIGIP appliance. While this is ok and works perfectly fine, it is not ideal in a production environment.

In this blog I will show you how to add your own Digital Certificate on a F5-BIG-IP load balancer device. The process involves three steps:

  1. Generate the Certificate Signing Request (CSR) – this is done on the F5-BIGIP appliance
  2. Pass the CSR to a Certificate Authority (CA) for signing; at the end of this process, a digital certificate is issued
  3. Import the digital certificate on the appliance

The digital certificate we will be adding here is called a Device Digital Certificate. These will be used, for instance, to establish a secure communication channel between two devices in an HA pair. It is also used in the authentication process when logging in to manage the appliance.

This certificate is not to be confused with the digital certificates linked to a specific virtual server.

STEP 1: Generate the Certificate Signing Request (CSR)

You need to generate your Certificate Signing Request – this is like the F5’s encrypted identification document. You would then provide this document to a certification authority which validates (certifies) the document making it valid and trustworthy to the outside world.

In your web GUI go to System > Device Certificates > Device Certificate > Renew

Next, you need to make sure you change the issuer to be a Certificate Authority and populate the remaining fields to something that makes sense – below is what I used:

Click Finished button.

STEP 2: Issue the digital certificate

For this step, I’ll use my local CA running on a Windows 2k3 Server.

Open the Certification Authority snap-in and right-click the root of the tree, choose All-Tasks Submit new request … 

Next, you will have to select the filename saved at the end of step (1) above. In this case, this will be the server.csr filename. You should now have a pending request; right-click on the request and Issue the digital certificate.

On the left panel, go to Issued Certificates, identify your certificate and Export the Binary Data:

At the end of this process, you should have a digital certificate binary file. We will use this file next to import the digital certificate.

STEP 3: Import the Digital Certificate to the F5-BIGIP appliance

Connect back to you F5 and import the certificate; go to System > Device Certificates > Device Certificate > Import.

On the next screen, browse to the location where you previously exported the Digital Certificate binary file, select it an click Import:

Lastly, to verify successful installation of the digital certificate, logout and log back in … accept the certificate and click the little padlock shown in your browser in order to display the digital certificate used to encrypt the login session. Here is what I get on my Safari browser:

Notice the error message – this is only because my Certificate Authority is not a publicly recognised one. I could however manually add this certificate in my trusted root certificate folder and this error would be gone.


Thank you,

Rafael A. Couto Cabral • LinkedIn Profile
Cisco​ | F5 | VMware Certified • PRINCE2 Practitioner

Originally posted 2017-10-05 10:45:36.

Related Post

Comments are closed.