Thursday, July 5, 2012

How to renew an SSL certificate for F5 BIG-IP v11.x

F5 Network's BIG-IP appliances are insanely complicated things that are designed to handle a great deal of networking 'stuff' such as SSL acceleration and load balancing. However, me and my colleagues are some of F5's biggest critics due to their documentation or, lack thereof. Maybe it makes sense to some people, but for me trying to find information on F5's "AskF5 Knowledgebase" tool is ridiculous as well as trying to find out how to perform some of the most elementary tasks on an F5 appliance. Navigating the F5 BIG-IP admin guide is as easy as sniffing your way out of a sewage drain. But, the fact remains is that F5 appliances do serve a dire need in the enterprise and they do work well.

Today's article will address a task that should have been documented more simply than shown in F5's knowledgebase. F5 assumes that you are already familiar with various SSL certificate types, the certificate issue process, and how to convert certificates to different formats. Now to be fair, if you are going to be administering an F5 you should already know this information. But since I wasn't well versed in SSL certificates before I started getting acquainted with a BIG-IP appliance, I am going to address those issues here.

Understanding SSL Certificates

An SSL certificate is actually two pieces, a certificate and its private key. When an SSL certificate is 'digitally signed', this means that the private key and the cert itself are paired together. When you need an SSL certificate, you first create a Certificate Signing Request (CSR) and upload it to a Certificate Authority (CA) such as Verisign or GoDaddy. After you pay the CA to authorize the request, the CA then digitally signs the request with a private key and sends it back to you. This certificate can then be converted to different file formats depending on your needs, and/or directly imported to your server(s) or network appliance(s). SSL Certificates are purchased in 1, 2, or 3 year increments.

F5 supports Self-Signed SSL certificates as well as Root Certificates. The only difference between the two is that self-signed certificates are generated by, well, you. Root certificates are authorized by a high-level entity which, in essence, are more secure. One reason why you pay a high-level entity like Verisign for an SSL certificate is for the privilege of claiming that your website has been 'verified' to be secure. There are many more reasons why you would want to do this, but know that both cert types encrypt IP traffic between hosts and servers.

There are several certificate file types that you need to be aware of regarding F5 appliances:

  • PKCS#12 - This is a certificate with a .pfx extension. The certificate and private key are in the same file, but importing the certificate requires a password. The password would have been provided to you from the certificate authority (CA), or certificate issuer such as Verisign.
  • PKCS#7  - This is a certificate chain with both the cert and the private key embedded and encrypted inside. This file has a .p7b extension. Since the cert key is already embedded and encrypted in the cert file, typing a password to activate the certificate is not required.
  • PEM (X.509) - Importing an SSL certificate requires that certificate to be in .PEM or X.509 format. This is especially true for F5 devices. However, PKCS#12 certificates in PEM format need to be split into CRT and KEY files. PKCS#7 certificates in PEM format do not require the file to be split.
  • CRT - The certificate portion of a PKCS#12 PEM file.
  • KEY - The private key portion of a PKCS#12 PEM file.

Converting SSL Certificates for F5 BIG-IP Appliances

You use F5's TMSH tool to convert SSL certificates. TMSH is accessed simply by connecting to the F5 appliance via SSH using an account with administrative access, then executing "TMSH" at the command line. First, upload the certificate file to the F5's file system, then navigate to the location of it in the file system. If the certificate is an PKCS#12 certificate, then execute the following command:

openssl pkcs12 -in <PKCSfile> -out <filename>.pem -nodes

If the certificate is an PKCS#7 certificate, execute this command instead:

openssl pkcs7 -in <PKCSfile>.p7b -text -out <filename>.pem -print_certs

After conversion, copy the newly created PEM file to your desktop. You can move on to the next section if you have a PKCS#7 cert. If you have a PKCS#12 PEM file you need to split it by performing the following steps:

  1. Open the PEM file with a text editor.
  2. Copy/paste the BEGIN CERTIFICATE area into a new text file. Name the TXT file and change it's file extension to .CRT.
  3. Copy/paste the BEGIN RSA PRIVATE KEY area into a new text file. Name this other TXT file and change it's file extention to .KEY.

Updating the SSL certificate in the F5 BIG-IP GUI.

Now that you have a copy of the PEM file, or the CRT and KEY files, you can update the certificate in the F5 appliance.

For PKCS#7 certificates:

  1. Click System > File Management > SSL Certificate List.
  2. Click on the Certificate name you need to update then click the Import button.
  3. Click Browse and locate the PEM file on your desktop.
  4. Click Import.Type the password of the certificate if prompted to do so.
  5. Verify that the certificate expiration date changed.

For PKCS#12 certificates:

  1. Click System > File Management > SSL Certificate List.
  2. Click on the Certificate name you need to update then click the Import button.
  3. Click Browse and locate the CRT file on your desktop.
  4. Click Import.
  5. Select KEY from the Import Type drop-down menu. Type the authorization password if prompted, then click Finish.
  6. Verify that the certificate expiration date changed.

Your certificate has now been updated. Reference the following F5 articles for more information:

I think I will start going through the F5 University BIG-IP training and virtual labs….

- Joe