Forum Discussion

genseek_32178's avatar
genseek_32178
Icon for Nimbostratus rankNimbostratus
Feb 05, 2013

SSL Cert

Hi Experts,

 

We have a Virtual listening on 443, and we are expected to apply clientssl profile to the VS. But we are told before we apply the profile, we need to copy the .crt to the box if it is not there already.

 

 

How can we check if cert is there already or not? If not there, how to copy the .crt to the box? What is the command.?

 

 

thanks-genseek

 

7 Replies

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Does the cert and private key already exist somewhere else (i.e are you moving this SSL from another server to the BigIP?). If so, then you simply need to export he cert and key from the original location and import them into the BigIP. If you look under the local traffic management menu of the BigIP, there's an item for SSL certificates. In there you can import keys and certificates.

     

     

    If it's a new cert you need, then create a new key from the BigIP GUI (At least 2048 bits in length) with the correct CN and other info, then submit the CSR (Certificate SIgning Request) to a suitable CA, pay them some dosh and they'll send you a signed vert. You them import that into the BigIP.

     

     

    Once the cert and key are on BigIP you just need to create new clientssl profile and attach that to the VS you want to have perform the SSL Offload function.

     

     

    H
  • thank you for the response Hamish.

     

     

    can we export keys and cert using bigpipe cli command line. If yes, what would be those commands.
  • Any files should be in the PEM format, although I think PKCS12 is now supported too, in v11?
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Are you moving from one bigip to another? If so save as an archive, and then just load the archive.

     

     

    H
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Right. So you need to export the SSL cert and key from the server (Obviously no bigip CLI command there) and import them into BigIP. Make sure they're exported in PEM format to save troubles.

     

     

    H

     

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Doubly & Triply make sure that when the SSL key is exported and provided to you it isn't emailed or anything silly like that. The key is just that. A key. if it's compromised, generate a new key and CSR and get it signed. Get the compromised one REVOKED by the CA who signed it. You DO NOT want to have your private key out there (With it anybody can spoof you and decrypt the traffic to your server).

     

     

    H