How to Generate Certificate Signing Request (CSR) in F5 BIG-IP
You can generate a key, a temporary certificate, and a certificate request form with the Configuration utility or from the command line.
Note: We recommend using the Configuration utility for this process. The certification process is generally handled through a web page. Parts of the process require you to cut and paste information from a browser window in the Configuration utility to another browser window on the website.
You must have a separate certificate for each domain name on each BIG-IP Controller or redundant pair of BIG-IP Controllers, regardless of how many non-SSL web servers are load balanced by the BIG-IP Controller.
If you are already running an SSL server, you can use your existing keys to generate temporary certificates and request files. However, you must obtain new certificates if the ones you have are not for the following web server types: Apache + OpenSSL Stronghold
Generating a key and obtaining a certificate using the Configuration utility
To obtain a certificate, you must have a private key. If you do not have a key, you can use the Configuration utility on the BIG-IP Controller to generate a key and a temporary certificate. You can also use the Configuration utility to create a request file that you can submit. You must complete the following tasks in the Configuration utility to create a key and generate a certificate request.
- Generate a certificate request
- Submit the certificate request to a certificate authority and generate a temporary certificate
- Install the SSL certificate from the certificate authority
- Finally, install the intermediate certificate authority certificate.
To create a new certificate request using the Configuration utility
1. In the navigation pane, click Proxies. The Proxies screen opens.
2. On Proxies screen, click the Create SSL Certificate Request tab, the New SSL Certificate Request screen opens.
3. In the Key Information section, select a key length and key file name, choose 2048 bytes.
4. Type in the name of the key file.
5. This should be the fully qualified domain name of the server for which you want to request a certificate.
6. You must add the .key file extension to the name.
7. In the Certificate Information section, type the information specific to your company.
- Country - Type the two letter ISO code for your country
- State or Province - Type the full name of your state or province
- Locality - Type the city or town name
- Organization - Type the name of your organization
- Organizational Unit - Type the division name or organizational unit
- Domain Name - Type the name of the domain upon which the server is installed
- Email Address - Type the email address of a person to be contacted about this
- Challenge Password - Type the password you want to use as the challenge password
- Retype Password - Retype the password you entered for the challenge password.
8. Click the Generate Certificate Request button.
9. After a short pause, the SSL Certificate Request screen opens.
Use the SSL Certificate Request screen to start the process of obtaining a certificate from a certificate authority, and then to generate and install a temporary certificate.
Generate and install a temporary certificate
1. Click the Generate Self-Signed Certificate button to create a self-signed certificate for the server.
We recommend that you use the temporary certificate for testing only.
2. You should make your site live only after you receive a properly-signed certificate from a certificate authority.
When you click this button, a temporary certificate is created and installed on the BIG-IP Controller.
This temporary certificate allows you to set up an SSL gateway for the SSL Accelerator while you wait for a certificate authority to return a permanent certificate.
Generating a key and obtaining a certificate from the command line
To obtain a valid certificate, you must have a private key. If you do not have a key, you can use the genconf and genkey utilities on the BIG-IP Controller to generate a key and a temporary certificate. The genkey and gencert utilities automatically generate a request file that you can submit to a certificate authority. If you have a key, you can use the gencert utility to generate a temporary certificate and request file.
These utilities are described in the following list:
genconf - This utility creates a key configuration file that contains specific information about your organization. The genkey utility uses this information to generate a certificate.
genkey - After you run the genconf utility, run this utility to generate a temporary 30 day certificate for testing the SSL Accelerator on the BIG-IP Controller. This utility also creates a request file that you can submit to a certificate authority to obtain a certificate.
gencert - If you already have a key, run this utility to generate a temporary certificate and request file for the SSL Accelerator.
To generate a key configuration file using the genconf utility
If you do not have a key, you can generate a key and certificate with the genconf and genkey utilities. First, run the genconf utility from the root (/) with the following commands:
The utility prompts you for information about the organization for which you are requesting certification. This information includes:
- The fully qualified domain name (FQDN) of the server
- The two-letter ISO code for your country
- The full name of your state or province
- The city or town name
- The name of your organization
- The division name or organizational unit
To generate a key using the genkey utility
1. After you run the genconf utility, you can generate a key with the genkey utility.
cd / /user/local/bin/genkey
2. After the utility starts, it prompts you to verify the information created by the genconf utility. After you run this utility, a certificate request form is created in the following directory:
3. In addition to creating a request form that you can submit to a certificate authority this utility also generates a temporary certificate. The temporary certificate is located in:
The "fqdn" is the fully qualified domain name of the server. Note that you must copy the key and certificate to the other controller in a redundant system, but for an SSL proxy you should have a valid certificate from your certificate authority.
To generate a certificate with an existing key using the gencert utility
To generate a temporary certificate and request file to submit to the certificate authority with the gencert utility, you must first copy an existing key for a server into the following directory on the BIG-IP Controller:
After you copy the key into this directory, type the following command at the command line:
cd / /user/local/bin/gencert
After the utility starts, it will prompt you for various information. After you run this utility, a certificate request form is created in the following directory:
The "fqdn" is the fully qualified domain name of the server.
WarungSSL has made efforts to ensure the accuracy and completeness of the information in this document. However, WarungSSL makes no warranties of any kind (whether express, implied or statutory) with respect to the information contained herein. WarungSSL assumes no liability to any party for any loss or damage (whether direct or indirect) caused by any errors, omissions, or statements of any kind contained in this document. Further, WarungSSL assumes no liability arising from the application or use of the product or service described herein and specifically disclaims any representation that the products or services described herein do not infringe upon any existing or future intellectual property rights. Nothing herein grants the reader any license to make, use, or sell equipment or products constructed in accordance with this document. Finally, all rights and privileges related to any intellectual property right described herein are vested in the patent, trademark, or service mark owner, and no other person may exercise such rights without express permission, authority, or license secured from the patent, trademark, or service mark owner. Geotrust reserves the right to make changes to any information herein without further notice.
Symantec adalah brand terbaik dan terpopuler di dunia SSL yang ada saat ini, yang menjamin keamanan dengan tingkat paling tinggi dan terpercaya. Ditandai dengan tampilan Norton Secured Seal yang telah dikenal secara meluas di dunia internet.selengkapnya
Entrust adalah salah satu CA sertifikat SSL yang berdiri di Minneapolis,Minnesota, Amerika Serikat yang telah sukses menguasai pasar industri SSL/TLS yang memiliki pendapatan $ 600 juta setiap tahunnya.selengkapnya
Comodo merupakan Brand dengan penawaran produk terlengkap dan terbanyak di industri keamanan komputer di dunia.selengkapnya
GeoTrust menawarkan berbagai SSL Certificate dengan harga terbaik dan melalui proses pengiriman cepatselengkapnya
Thawte merupakan SSL Certificate pertama yang didirikan di negara Afrika Selatan pada tahun 1995.selengkapnya
RapidSSL adalah Brand SSL Certificate dari Rapid yang memiliki keunggulan penerbitan sertifikat dalam waktu cepat dan proses yang mudah.selengkapnya
Certum merupakan brand SSL Certificate yang didirikan pada tahun 1998 di negara Polandia dan telah berkembang menjadi CA international yang terpercaya sebagai otoritas sertifikat teratas dan populer di negara tersebut.selengkapnya
Tipe SSL Certificate
Sertifikat SSL dasar yang hanya menawarkan sekedar enkripsi, yang bisa didapatkan cukup dengan approve kepemilikan domain.Selengkapnya
Sertifikat SSL tingkat menengah tidak hanya menawarkan enkripsi namun sebuah "trust" melalui validasi organisasi Anda.Selengkapnya