HTTPS and SSL certificate for 2 BIG-IPs

For test domains you could just use self-signed certs... Cheaper (i.e. free). The only down side with using the same wildcard cert across multiple devices is having to keep the keys and certs sync'ed across multiple devices, and you don't want to share your CA signed certs across TOO many devices (The more it's shared, the less secure it'll be. Especially if you have to swap boxes out for repair etc and the HD is returned or swapped out etc.

 

 

H

Mic,

 

 

I've done exactly what you are talking about across multipe F5 Pairs with Wildcard SSL Certificates and haven't had any problems in the past.

 

 

I can't say that I've ever had the problem that Hamish is describing, although you can never be too safe. We've thought of the Security aspects of having the SSL Certificates on the F5's and we actually use them as a storage repository for SSL Certificates that are created and not used on the F5's (so that we can keep track of them in case the server has a failure).

 

 

In the event of an F5 RMA (which in 4 years I've only had to do one, and that was an SSL Accelerator Card Failure) you can retrieve and then delete all of the current SSL Certicates that reside on an F5 to keep them secure in your companies hands.

 

 

They are located in the following directories:

 

/config/ssl/ssl.crl

 

/config/ssl/ssl.csr

 

/config/ssl/ssl.key

 

/config/ssl/ssl.crt

As far as I am aware there is no secure delete facility on the F5's... WHich means even if you do rm the files, they're still there...

 

 

Just as a further note, you CAN purchase the drive (And then remove it before you send it back. It's an option in your support IIRC)... But it's expensive...

 

 

For horror stories, just google it... A while back there were several articles where people (researchers) had purchased devices (Not just F5's) and discovered certs on them (And other data). Best to be paranoid around keys.

 

 

 

H

Assuming the unit still boots, I wonder if you could use a utility like DBAN to securely wipe the HDD before returning a defective unit for an RMA.

 

 

http://www.dban.org/faq/burning

 

http://www.pendrivelinux.com/install-dban-to-a-usb-flash-drive-using-windows/

 

 

Else, F5 can allow you to keep (or have them securely destroy?) the drives for an extra charge. Or if you have a decent chunk of money to spend, you could go for a FIPS card to securely store the SSL private keys without worry that they can be exported. FIPS is only supported on the higher end models though.

 

 

Aaron