This document provides Certificate Signing Request (CSR) generation instructions for F5 BIG IP 11.x. If you are not able to perform these steps on your server, Symantec recommends to contact the server vendor or the organization, which supports F5.
To generate a CSR, a key pair must be created for the server. These two items are a digital certificate key pair and cannot be separated. If the public/private key file or password is lost or changed before the SSL certificate is installed, the SSL certificate will need to be replaced. The private key, CSR and certificate must all match in order for the installation to be successful.
NOTE: All certificates that will expire after December 2013 must upgrade to a 2048-bit key size.
Starting from BIG-IP version 11.5.0, the default signing algorithm used is SHA-2 hash algorithm which is recommended as the signing algorithm by Symantec.
To create a new Certificate Signing Request, perform the steps below:
- Log in to the Configuration Utility
- On the left panel, navigate to System > File Management
- Choose SSL Certificate List
- Click Create
- Fill the form to generate the CSR
- Name: Give a name for your SSL Certificate which will be the name displayed within Big IP. The name should not have any spaces.
- Issuer: Certificate Authority Symantec.
- Common name: FQDN (fully-qualified domain name) of the server (e.g. www.symantec.com, mail.symantec.com, or for wildcard certificate *.symantec.com).
- Division: This is also referred as the Organizational Unit. You may use this field as a department name for the certificate or a naming convention of your choosing.
- Organization: Use the legally registered organization or business name that your company operates as.
- Locality, State or Province, Country: City, state, and country where the organization is located. Do not abbreviate the state or province.
- E-mail Address: Your email.
- Subject Alternative Name: Enter your Subject Alternative Name, also known as SANs, here if any. If you do not have any that is needed to be on the same certificate, you may leave this field blank.
- Challenge Password, Confirm Password: Do not enter a challenge password. Leave the challenge password blank.
- The key size must be 2048 bits for all SSL Certificates.
- Click Finished
- Verify your CSR
- Copy the CSR (including the BEGIN and END tags) as seen below:
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
- Proceed with the Enrollment from the Symantec web site and paste the CSR in the required field.
During the verification process, Symantec may need to contact your organization. Be sure to provide an email address,
phone number and fax number that will be checked and responded to quickly. These fields are not part of the certificate.
Once the SSL Certificate has been issued, follow the steps from this link to install it on the server: SO22290
For additional information, refer to F5's KB solution: SOL14620