Installing an SSL certificate on F5 Networks BIG-IP Controller 4.2

These instructions are roughly correct for the BIG-IP 4.x series, but the procedure for your exact version may vary. Please refer to tech.f5.com for specific instructions for your version.

Part one: Save and install the certificate for your domain name

After you receive the certificate for your domain name by email, you must copy it onto each BIG-IP Controller in the redundant configuration. You can configure the SSL Accelerator with certificates using the Configuration utility or from the command line.

To install certificates using the Configuration utility

1. Open the email that contains the certificate.
2. In the navigation pane, click Proxies. The Proxies screen opens.
3. On Proxies screen, click the Install SSL Certificate Request tab. The Install SSL Certificate screen opens.
4. In the Certfile Name box, type the fully qualified domain name of the server with the file extension .crt. If you generated a temporary certificate when you submitted a request to the certificate authority, you can select the name of the certificate from the drop-down list. This allows you to overwrite the temporary certificate with the certificate from the certificate authority.
5. Copy the text of the certificate from the email and paste into the Install SSL Certificate window. Make sure you include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
6. Click the Write Certificate File button to install the certificate.

To install certificates from the certificate authority using the command line

1. Open the email we sent you, that contains the certificate for your domain.

2. Copy the certificate, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.

3. Paste the certificate into a blank document in a text editor.

4. Save the document. Name it YourDomainName.crt and save it to directory /config/bigconfig/ssl.crt/

   We recommend that you also back up your certificate on another computer or storage device.

5. Copy the certificate into the same directory on each BIG-IP Controller in a redundant system:

   /config/bigconfig/ssl.crt/

   Note: The certificate you receive should overwrite the temporary certificate generated by genkey or gencert.

   Confirm that a copy of the corresponding key is in the following directory on the BIG-IP Controller:

   /config/bigconfig/ssl.key/

Part two: Download and install the Intermediate certificate(s)

1. Confirm which certificate you purchased, and determine which set of Intermediate certificate(s) to download.

   To confirm which certificate you purchased, review your order confirmation.

   • If you purchased SBS Instant, download set A below.

   • If you purchased SBS Secure or Secure Plus, download set B below.

   A -- SBS Instant

   • Instant Validation SBS Intermediate 2 CA
   • Instant Validation AddTrust Intermediate 1 CA

   -OR-

   B -- SBS Secure and Secure Plus

   • Full Validation Intermediate CA

2. Save the certificate(s) to directory /config/bigconfig/ssl.key/

3. Copy the Intermediate certificate(s) into each BIG-IP Controller in a redundant system.
4. Open the Intermediate certificate file(s) with a text editor.
5. In another text editor window (TextPad works well for this task), open file intermediate-ca.crt in directory /config/bigconfig/ssl.crt/.
6. Copy and paste the entire text of the certificate(s), including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines, into intermediate-ca.crt.
   • Paste the SBS certificates at the bottom of the file.
   • If you are installing SBS Instant, paste the text of InstantValidationAddTrustUTNServerIntermediate1CA.crt first, and InstantValidationSBSIntermediate2CA.crt below it.
   • If you are installing SBS Secure or Secure Plus, paste the text of FullValidationAddTrustRootIntermediate3.crt at the bottom of the file.
   • Do not include any leading or trailing whitespace before the beginning and ending hyphens of each certificate, except for one return (CRLF) between each certificate in the file.

7. Save and close intermediate-ca.crt.

8. Add the SBS Intermediate certificate(s) to the intermediate-ca.crt file on each of the other controllers in a redundant system.

   Note: The ssl.crt directory is used to store certificates and certificate authorities.

   Note: In a redundant system, the keys and certificates must be in place on all controllers before you configure the SSL Accelerator. You must do this manually; the configuration synchronization utilities do not perform this function.