Nimbostratushi i need to know what is required from F5 node itself for SSL Certs. and then approved it from SSL authority do i need to generate SSL cert on F5 and send it to SSL External Authorities . second : we are planing to have 2 Virtual Server on same node , and want to have different SSL certs so what i need to do about it .
BR sosa
Employeei need to know what is required from F5 node itself for SSL Certs. and then approved it from SSL authority do i need to generate SSL cert on F5 and send it to SSL External Authorities .
A standard PKI certificate and private key are required. You can generate the private key and a certificate signing request (CSR) locally, get the CSR signed, and then import the certificate, or you can do the entire process somewhere else and import the private key and signed certificate. Or you can generate a self-signed certificate.
second : we are planing to have 2 Virtual Server on same node , and want to have different SSL certs so what i need to do about it .
This is a little tricky with SSL. In LTM v11 and above, you now have the option of using the TLS SNI (Server Name Indicator) extension. This allows you to create separate client SSL profiles with their own respective certificate/private key, and then assign all of those client SSL profiles to a single virtual server. If the client supports TLS, it will insert a "Server Name" attribute into its CLIENTHELLO message, which the LTM will use to select the appropriate SSL profile. In each client SSL profile, enter a Server Name string that matches the subject of the assigned certificate. In ONE of these client SSL profiles, also check the "Default SSL Profile for SNI". The one drawback to this approach is that clients must support TLS (vs. SSL). These days it's getting harder to find user agents that don't support it, but I'm sure they're still out there. If the client attempts to negotiate with SSL, then SNI will fail and the "default" profile will be selected.
Other options include getting a single wildcard or SAN (subjectAltName) certificate that contains all of the subjects, then you can create and use one client SSL profile for multiple hosts.
NimbostratusHi, Kevin has explained the process, but I just want to clarify with you about the 'two virtual servers on the same node'. Do you mean there will be a VM host with two virtual servers configured, running either seperate IP's or sites on seperate ports?
If so, you can simply create two VIP's, and assign each with a different SSL client profile (one for each of the certificates), then have two seperate pools with the VM's IP/port.
Cheers, Bohun
Nimbostratushi
thanks for reply can you plz provide info about below howTO create privatekey & certificate signing request (CSR) locally on F5.
BR sosa
Employeecan you plz provide info about below howTO create privatekey & certificate signing request (CSR) locally on F5.
sol14620: Managing SSL certificates for BIG-IP systems
http://support.f5.com/kb/en-us/solutions/public/14000/600/sol14620.html