Install SSL certificate by F5 device from icontrol perl

Hi Michael,

 

 

iControl cannot be used to install SSL certs and keys on your web servers, but you can use iContorl to install certs and keys on the F5 LTM. However you need to use your F5 LTM to offload(terminate) SSL connections. From what you are describing it looks like you are not using SSL offloading. If you have no idea about SSL offloading I suggest that before jumping into programming it in Perl you read up on it in the F5 documentation and configure it in the F5 LTM Web GUI manually at least once to understand how it works.

 

 

Essentially you will need to import your certs & keys into the F5 box and create clientSSL profile which links your cert, the key and possibly intermediate CA. You should already have your certificates obtained from the Certification Authority (CA) in order to import them (although you can create Certificate Signing Requests using F5 Web GUI or API).

 

 

if you have a requirement to have SSL encrypted traffic between the F5 box and the servers you will also need a ServerSSL profile.

 

 

Using iControl API you can upload your certs and keys to the F5 box, create ClientSSL profile and assign it to a Virtual Server.

 

 

The most convenient form of working with certs and keys in iControl is to use "import_from_pem" method (your cert and key must be in PEM format, most certificates for Apache are in PEM these days, however if they are not it is easy to convert them to PEM using openssl).

 

 

Have a look at the following documentation in the wiki:

 

 

http://devcentral.f5.com/wiki/default.aspx/iControl/Management__KeyCertificate__certificate_import_from_pem.html

 

 

http://devcentral.f5.com/wiki/default.aspx/iControl/Management__KeyCertificate__key_import_from_pem.html

 

 

Then to create the ClientSSL you will need:

 

 

http://devcentral.f5.com/wiki/default.aspx/iControl/LocalLB__ProfileClientSSL__create.html

 

 

and finally to add your ClientSSL profile to your Virtual Server you will need:

 

 

http://devcentral.f5.com/wiki/default.aspx/iControl/LocalLB__VirtualServer__add_profile.html

 

 

with ProfileContext set to PROFILE_CONTEXT_TYPE_CLIENT

 

 

There are examples on how to work with iControl in Perl in the iControl SDK

 

 

 

Sam

 

Hi. I'm trying to do this from the web GUI first.

 

 

I just import cert & key but it seems I can't import intermediate CA?

 

 

In some cases, you need your intermediate CA as well.

 

 

Is this something the web GUI don't have?

 

 

Also I attached a screenshot.

 

 

As you can see the SSL Certificate tab is inside the Local Traffic tab.

 

 

I just wonder if that mean these settings are only for internal network?

 

 

Is that mean anyone outside go to https://test.miccheung.com on their browser they won't able to get anything?

 

 

Thanks.