Ask a Question

Advanced Search

Alert ID : INFO795

Last Modified : 05/03/2018

Managed PKI for SSL - Certificate Signing Request (CSR) Generation Instructions for F5 BIG-IP version 11.x

Description

This document provides generation instructions for F5 BIG IP 11.x. If you are not able to perform these steps on your server, Symantec recommends to contact the server vendor or the organization, which supports F5

To generate a CSR, a key pair must be created for the server. These two items are a digital certificate key pair and cannot be separated. If the public/private key file or password is lost or changed before the SSL certificate is installed, the SSL certificate will need to be replaced. The private key, CSR and certificate must all match in order for the installation to be successful.

NOTE: All certificates that will expire after December 2013 must upgrade to a 2048-bit key size.
Starting from BIG-IP version 11.5.0, the default signing algorithm used is SHA-2 hash algorithm which is recommended as the signing algorithm by Symantec.
 

To create a new Certificate Signing Request, perform the steps below:

  1. Log in to the Configuration Utility
  2. On the left panel, navigate to System > File Management
  3. Choose SSL Certificate List
  4. Click Create
  5. Fill the form to generate the CSR


     
  • Name: Give a name for your SSL Certificate which will be the name displayed within Big IP. The name should not have any spaces.
  • Issuer: Click on the drop-down and select Certificate Authority.
  • Common name: The fully-qualified domain name to which your certificate will be issued.
  • Division: This field is optional; but can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request.
  • Organization: The full legal name of your company.
  • Locality, State or Province, Country: City, state, and country where the organization is located. Do not abbreviate the state or province.
  • E-mail Address: Your email.
  • Subject Alternative Name: Enter your Subject Alternative Name, also known as SANs, here if any. If you do not have any that is needed to be on the same certificate, you may leave this field blank.
  • Challenge Password, Confirm Password: Do not enter a challenge password. Leave the challenge password blank.
  • The key size must be 2048 bits for all SSL Certificates.
     
  1. Click Finished
  2. Verify your CSR
  3. Copy the CSR (including the BEGIN and END tags) as seen below:

    -----BEGIN CERTIFICATE REQUEST-----
                  
                    [encoded data]

    -----END CERTIFICATE REQUEST-----
     
  4. Proceed with the enrollment at Symantec Managed PKI for SSL Subscriber Services page and paste the CSR in the required field.

 

Once the SSL Certificate has been issued, follow the steps from this link to install it on the server: SO16517


F5 Support

For additional information, refer to F5's KB solution: SOL14620