Unofficial - F5 Certification Exam Prep Material > F5 301A - BIG-IP LTM Specialist Labs - Created 11/01/19 > Lab 5 - SSL Source | Edit on
SSL Certificates and Profiles¶
Creating and Importing Certs and Key¶
You want the highest levels of encryption between the BIG-IP and the client, but you do not require the same levels of encryption between the BIG-IP and the server and you would like to save server processing power. You are going to create new SSL certificates with 2048 bit keys for client-side SSL and import a certificate you own that has a 1024 bit keys for the server-side SSL processing.
Create the client-side SSL certificate and key.
Go to System >> File Management >> SSL Certificate List and select Create and enter the following information.
Name | new_ssl_cert |
---|---|
Issuer | Self |
Common Name | ltm301a.f5demo.com |
Division | Training |
Organization | F5 |
Locality | Lab |
Country | United States |
State | Washington |
example@f5demo.com | |
Subject Alternative Name | <leave this blank> |
By default, a self-sign certificate starts with a Lifetime of 365 days and the key type is 2048 bit RSA.
Import the SSL certificate and key below to the BIG-IP to be used for server-side encryption by selecting Import.
You can find the cert and key under the Lab Guides link on your browser bookmark bar. Look for the Cert 301a LTM Architect.txt file/link. Open the link and the certificate and key are in there under LAB 5 - SSL
You may want to import the Key first, as it will validate certificate if your naming both the same. If you were to import the certificate first and then import a Key with the same name you could technically attached an invalid key to the certificate.
Import the Key (Type), named import_ssl_cert, leave the Password blank.
RSA Private Key:
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCobsrka60VT1TLfQsamdtQCbvfnGC9ibiTtPjaHXRBpNV70prY
rihQqj3pBNlE4dvK0ucF49gGF5HXpKZDqZWXai3AnJhia248FRyT/ezxAjVqamFh
c3Lhx5ykSIxWzzw+VBuwTIvg2MS3aE3P/2CQ8MI02/uiLsya0eydw3EyiQIDAQAB
AoGBAKPN3BP5hALNfDHKEhp0tw1H6ia19n9eiNtdjQbSzlVo8RXS5DUGar7IUh1k
UcjjvtWp9nOL+nMySOvnfKshKhDbB/73NRg7VZ1eZL6K/0vv37KbDSU8KTQssSb3
myKxrRVMbxxpPujpUNT3gd6XqdUXyPjWuJOkCGLgVfGhANHhAkEA2ssfpYXgID2a
0B+VC+FaAB0GBg5P/oQF3mTPSj460totqGWeXi7beuYXgFYLbn5BNHCsDeVclZMy
ws7k4SZiiwJBAMUTSRX3rjeZBpl0zF6xr/JFfw0Fd4lgKDO+hFZvrbhDUYIU9D08
ROyH+FViQ0IoV2BtW9IZDtN/GzoroLE/hbsCQQCG5cwaSwOX/UOxZHeJ/qR2A28O
Vs69dvsDVpZ0CRBNppWWCSlummdaS/lbeDHOK2vagEmku7CszDf04ok9xGPnAkAl
5rubmfLLhoaaZLgZThsEgREaM/71UKTqrq1M4lWKpoe6eMUwMbMfulasNSWyR4fm
Z6HNGjybuEpIObPB4vGZAkBo1LKCZXas+mxRfZeucfzPLOx5a8XmwtV57br+ivnK
n0OIrSExckYHeeWb4sFl8Y/S85yyBqHS5q5v9s/x2fvp
-----END RSA PRIVATE KEY-----
Import the certificate. Type Certificate and named import_ssl_cert
Certificate:
-----BEGIN CERTIFICATE-----
MIIBuzCCASQCCQCTVAeV4noavTANBgkqhkiG9w0BAQUFADAiMSAwHgYDVQQDExds
aW51eDMyc2VydmVyMS5mNXNlLmNvbTAeFw0xMDA2MTkyMTI2NTZaFw0yMDA2MTYy
MTI2NTZaMCIxIDAeBgNVBAMTF2xpbnV4MzJzZXJ2ZXIxLmY1c2UuY29tMIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCobsrka60VT1TLfQsamdtQCbvfnGC9ibiT
tPjaHXRBpNV70prYrihQqj3pBNlE4dvK0ucF49gGF5HXpKZDqZWXai3AnJhia248
FRyT/ezxAjVqamFhc3Lhx5ykSIxWzzw+VBuwTIvg2MS3aE3P/2CQ8MI02/uiLsya
0eydw3EyiQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAH1e+FXvNOnKlP5RO5wKVjG0
C8F4Xww462beL2LeYZvV3ZjDoTUU0CNkkOnOKMbLkaiTICpBdd836sIiloAyV8M1
2YZwxgwP/fV4ycTjHUnloEBmmmBVmW3M5DzLGA1k9cB1dUly5koIoRE9mYRWm9V2
ZzYkbZf96KMh8zH47R4y
-----END CERTIFICATE-----
Q1. What is the common name of your imported certificate and when does it expire?
SSL Profile and Virtual Servers¶
Now you will create a custom client and server side SSL profiles using your new certificates and key and attach them to you secure_vs and test.
Create a custom client SSL profile using your new_ssl_cert certificate, by going to Profiles > SSL > Client.
Name you new profile my-client-ssl and place new_ssl_cert in the Certificate and Key drop-downs.
Make sure you Add the certificate and key before you Finish.
Go to the SSL Server profiles and create a new profile named my-server-ssl with your import-ssl-cert certificate and key.
Replace the current default client-side and server-side SSL profiles with your new SSL profiles.
Browse to http://10.1.10.115.
Q1. Did it work?