F5 Certificate Configuration

Description of several format files:

Csr--> the files generated on the F5. Contains the domain name, company name, department name, city, mailbox and other information.

Crt/cer--> public key, certificate file, issued by an authoritative certificate authority.

Key--> the private key, which is generated in pairs with the CSR.

Cases:

1_root_bundle.crt--> certificate chain (tree structure containing the certificate, traced to root certificate authority)

2_test_wosign.com.crt--> Public Key (the certificate authority uses the private key to sign your CSR)

3_test_wosign.com.key--> private key (compatible with public key)

The SNI feature is simply described:

The SNI feature enables an IP address to correspond to multiple domain names and bind different certificates. The version that needs to be F5 is supported in v11.1.0.

650) this.width=650; "Src=" Http://s5.51cto.com/wyfs02/M02/89/51/wKiom1gPUiGyaUyXAAAj8DUqdy4962.png-wh_500x0-wm_3 -wmp_4-s_1961495466.png "title=" f5-certificate 016.png "alt=" Wkiom1gpuigyauyxaaaj8duqdy4962.png-wh_50 "/>

Description

Device Model f5-1600 system version 10.2.4

Create a CSR file, a backup certificate, a private key

To create a CSR file:

650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M02/89/4F/wKioL1gPUkShUvD4AAEfWKhYd7s745.png-wh_500x0-wm_3 -wmp_4-s_3022039600.png "title=" f5-certificate 001.png "alt=" Wkiol1gpukshuvd4aaefwkhyd7s745.png-wh_50 "/>

Choose whether to self-issue:

650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M00/89/51/wKiom1gPUnbw8AjRAAAVw78sE9M955.png-wh_500x0-wm_3 -wmp_4-s_3959904310.png "title=" f5-certificate 002.png "alt=" Wkiom1gpunbw8ajraaavw78se9m955.png-wh_50 "/>

To back up the certificate and private key:

650) this.width=650; "Src=" Http://s2.51cto.com/wyfs02/M02/89/4F/wKioL1gPUoegsGTBAADrsChLA4c603.png-wh_500x0-wm_3 -wmp_4-s_1432132329.png "title=" f5-certificate 003.png "alt=" Wkiol1gpuoegsgtbaadrschla4c603.png-wh_50 "/>

650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M00/89/51/wKiom1gPUtnAemBWAADcY6XOlw0993.png-wh_500x0-wm_3 -wmp_4-s_1032912584.png "title=" f5-certificate 004.png "alt=" Wkiom1gputnaembwaadcy6xolw0993.png-wh_50 "/>

650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M00/89/4F/wKioL1gPUtmh8ZbBAACrJZiQ6Tc564.png-wh_500x0-wm_3 -wmp_4-s_4228167869.png "title=" f5-certificate 005.png "alt=" Wkiol1gputmh8zbbaacrjziq6tc564.png-wh_50 "/>

650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M00/89/4F/wKioL1gPUtmyXndhAADy-ux9wJY485.png-wh_500x0-wm_3 -wmp_4-s_3127301847.png "title=" f5-certificate 006.png "alt=" Wkiol1gputmyxndhaady-ux9wjy485.png-wh_50 "/>

Second, installation certificate

Paste the certificate content issued by the certification authority (including "----BEGIN CERTIFICATE-----" and-----END CERTIFICATE-----") into Notepad and save it as a server.cer file.

Install the certificate file:

650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M01/89/51/wKiom1gPUyqRy92iAACrAHT64KU322.png-wh_500x0-wm_3 -wmp_4-s_336651536.png "title=" f5-certificate 007.png "alt=" Wkiom1gpuyqry92iaacraht64ku322.png-wh_50 "/>

Status after successful import:

650) this.width=650; "Src=" Http://s5.51cto.com/wyfs02/M01/89/51/wKiom1gPU0KBIGtQAADto1JvJFQ191.png-wh_500x0-wm_3 -wmp_4-s_249147353.png "title=" f5-certificate 008.png "alt=" Wkiom1gpu0kbigtqaadto1jvjfq191.png-wh_50 "/>

To add a certificate chain:

Paste All certificate contents from Begiin to end in the certificate issuance message into Notepad, separated by carriage return line breaks. Modify the file name extension to Ca-bundle.cer

650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M01/89/4F/wKioL1gPU3CwK1MsAADrihMmtEk167.png-wh_500x0-wm_3 -wmp_4-s_197777709.png "title=" f5-certificate 009.png "alt=" Wkiol1gpu3cwk1msaadrihmmtek167.png-wh_50 "/>

650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M01/89/4F/wKioL1gPU3Dgw0cDAADWma-LABA378.png-wh_500x0-wm_3 -wmp_4-s_1289704944.png "title=" f5-certificate 010.png "alt=" Wkiol1gpu3dgw0cdaadwma-laba378.png-wh_50 "/>

650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M02/89/51/wKiom1gPU3CTFdTZAAB6yegjXCM197.png-wh_500x0-wm_3 -wmp_4-s_1484738969.png "title=" f5-certificate 011.png "alt=" Wkiom1gpu3ctfdtzaab6yegjxcm197.png-wh_50 "/>

Third, configure the profile associated certificate

There are 2 server certificates, one is F5 and client certificate ssl-client

One is the certificate of F5 and background server ssl-server

F5 to the client is generally considered unsafe, so use the certificate. F5 to back-end servers are generally considered secure and generally do not use certificates.

650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M02/89/4F/wKioL1gPU6Gi11tVAADkaCYV9Tc218.png-wh_500x0-wm_3 -wmp_4-s_2714006682.png "title=" f5-certificate -012.png "alt=" Wkiol1gpu6gi11tvaadkacyv9tc218.png-wh_50 "/>

650) this.width=650; "Src=" Http://s1.51cto.com/wyfs02/M00/89/4F/wKioL1gPU6HTnjwYAADtgdzJ3Mo099.png-wh_500x0-wm_3 -wmp_4-s_1341277854.png "title=" f5-certificate -013.png "alt=" Wkiol1gpu6htnjwyaadtgdzj3mo099.png-wh_50 "/>

Parent Profile: Trusts the same root certificate. Multiple domain name corresponding to one IP requires F5 system version at 11.0

When you are finished, select Update to save. After the certificate is successfully configured, you need to create a 443-port virtual Server and load the client SSL profile above to enable SSL certificates for that site.

Four, two-way authentication configuration

The two-way authentication section requires the client to present the client's personal certificate to log on to the specified page. You do not need to configure the two-way authentication section if the client is not forced to authenticate.

In two-way authentication, you need to configure the following:

Trusted Certificate Authorities: Root Certificate for client certificates

Client Certificate: Here are two modes to choose from

Require: The client must submit a certificate, typically with this method

Request: Clients can submit certificates or do not submit certificates

Advertised Certificate authorities: When a client connects, the server sends information to the client, which causes the certificate selection list that pops up on the client to include only the client certificates that are issued by the selected root certificate. If you have intermediate certificates, select the certificate chain.

650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M01/89/51/wKiom1gPU7zQx_P8AADnOkKZNIU263.png-wh_500x0-wm_3 -wmp_4-s_2238584836.png "title=" f5-certificate 014.png "alt=" Wkiom1gpu7zqx_p8aadnokkzniu263.png-wh_50 "/>

650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M02/89/51/wKiom1gPU7zyz3UnAABLV-Yto0g179.png-wh_500x0-wm_3 -wmp_4-s_808651001.png "title=" f5-certificate 015.png "alt=" Wkiom1gpu7zyz3unaablv-yto0g179.png-wh_50 "/>

After completing the import and profile settings of the certificate, you will also need to set the properties under Virtual Server, bundle the virtual service address with the profiles you just generated, and click Update to complete the certificate configuration.

The logical relationship between the two is that the certificate is bound to the profile file, and the virtual service calls the profile file.

Attached F5 website related documents Link:

Https://devcentral.f5.com/articles/ssl-profiles-part-7-server-name-indication

This article is from the IT Technology stickers blog, so be sure to keep this source http://jiangyuchen.blog.51cto.com/9221625/1865598

F5 Certificate Configuration