Ask a Question

Advanced Search

Solution ID : SO6214

Last Modified : 05/02/2018

How to move SSL certificate from Microsoft IIS 5.0 / 6.0 to F5 Big-IP

Problem

How to move certificate from IIS to F5 Big-IP
Move certificate from IIS to F5 big-IP
Export certificate
Import certificate

Solution

To move an SSL certificate from a Microsoft IIS 5.0 / 6.0 to F5 Big-IP server, perform the following steps:

Step 1: Create a Microsoft Management Console (MMC) Snap-in for managing certificates
 
Create a Microsoft Management Console (MMC) Snap-in for managing certificates.
 
Step 2: Export SSL certificate from Microsoft IIS 5.0 / 6.0
 
1.  Open the Certificates (Local Computer) snap-in you added, and select Personal > Certificates
2.  The Subject field of the certificate lists the Common Name (CN). (Click Tools > Internet Options > Content to view the Common Name if you are not sure)
3.  Right-click on the desired certificate and select All Tasks > Export. The Certificate Export Wizard opens
4.  Select Yes, export the private key
5.  Click Next
6.  In the Export File Format window, ensure the option for Personal Information Exchange  - PKCS#12 (.pfx) is selected
7.  Select Include all certificates in the certificate path if possible and then click Next. (If you do not select the Include all certificates in the certificate path if possible option, your server may not recognize the issuer of the certificate, which may result in security warnings for your clients.
8.  De-select Require Strong Encryption. (This may cause a password prompt every time an application attempts to access the private key or it may cause IIS to fail).
9.  Click Next
10.  Enter and confirm a password to protect the PFX file and click Next
11.  Choose a file name and location for the export file (do not include an extension in your file name; the wizard automatically adds the PFX extension for you)
12.  Click Next
13.  Read the summary and verify that the information is correct. Pay special attention to where you saved the file. Ensure that the information is correct
14.  Click Finish

Step 3: Convert PFX file to compatible files for F5 Big-IP

1. Move the .pfx file to the F5 Big-IP server
2. To extract the private key, run the OpenSSL command:  openssl pkcs12 -in <filename>.pfx  -nocerts -out key.pem
3. To extract the certificate (public key), run the OpenSSL command:  openssl pkcs12 -in <filename>.pfx -clcerts -nokeys -out cert.pem

Step 4: Install CA Certificate

Download Intermediate CA.

1. Copy the entire text of the Intermediate CA Certificate from the Symantec Web site, including the
 
-----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
 
2. Paste into a file named intermediate-ca.crt using Vi or Notepad. Do not use Microsoft Word or other word processing programs that may add characters.  Do not to include any leading or trailing whitespace before the beginning and ending hyphens.
3. Place the intermediate-ca.crt file in the directory:  /config/bigconfig/ssl.crt
4. The full path to the file is:  /config/bigconfig/ssl.crt/intermediate-ca.crt
 
In a redundant system, the keys and certificates must be in place on both controllers before you configure the SSL Accelerator. You must do this manually; the configuration synchronization utilities do not perform this function.

Step 5: Install SSL certificate for F5 Big-IP
 
Note: The private key & public key file that was extracted as a .pfx file (performed on Step 3) including the Symantec Intermediate CA will be place on F5 Bip-IP server.

1. Place the public key file in the directory:  /config/bigconfig/ssl.crt/public.crt
2. Place the private key file in the directory: in  /config/bigconfig/ssl.key/private.key
3. Place the intermediate ca file in the directory:  /config/bigconfig/ssl.crt/intermediate-ca.crt

On the F5 Big-IP, create an SSL proxy (or edit an existing one) and configure it to use the certificate and key files.