Forum Discussion

waterfall_10467's avatar
waterfall_10467
Icon for Altostratus rankAltostratus
May 02, 2013

SSL_CERTIFICATE

Hello,

 

İ've recently gotten request from our core securtiy team about ssl certificate that has been impoterted on the F5. They told me that the certificates have to be none exportable according to our company polices.That's why, i have to configure as they specified. But eventough I have invistageted the topic on devcentral and openssl pages but obviously, i couldn't find tangible information.Could someone please help me about the request.

 

https://devcentral.f5.com/wiki/iControl.Management__KeyCertificate.ashx

 

 

thank you in advance...

 

 

 

 

 

7 Replies

  • They told me that the certificates have to be non exportable according to our company polices.That's why, i have to configure as they specified.i do not think it is possible (to make it non-exportable). private key can be encrypted or imported to fips but it is still exportable (in encrypted format)
  • Do you think, Should i use openssl ?you can encrypt private key using openssl.
  • The only way to prevent exportability of private keys on the BIG-IP is to store them in a FIPS module. Yes, you can still export private keys from FIPS, but they are in a proprietary encrypted format.
  • kevin hello,

     

     

    please confirm me that if we buy the fips module for 6900 platforms , we can make the ssl key and certs as none-exportable. can't we?

     

     

    thanks

     

  • Nitass ,

     

    Do you have command syntax for the operation. could you please support me ?

     

     

    tnaks

     

  • FIPS or Federal Information Processing Standard presents a set of standards by which information is to be handled. Specifically, the FIPS 140-2 standard sets the security requirements for cryptographic material, and level 2 of that standard, the level that the BIG-IP 8900 adheres to, adds requirements for physical tamper-evidence and role-based authentication to the "key store". The FIPS module that you can purchase with the BIG-IP is a hardware-based security module (HSM) that is a card attached to the motherboard that provides secure storage of cryptographic keys. There are two ways to get new keys into the card: you can import them (which implies that you have a soft copy somewhere), or you can create them there as part of the CSR process to generate new certificates. In either case, once the key is loaded into the HSM, the FIPS certification guarantees a level of protection from extraction attempts. You can, technically, export the keys from the HSM, but only in a proprietary encrypted (and unusable) format. The format is similar to PKCS12.

     

     

    I also want to point out that the HSM only stores private keys. PKI requires two keys (public and private). The public keys (certificates) are still stored in the file system.