F5 CSR/Certificate Creation and Import Procedure

Creating a CSR
- Choose a standby device to create CSR on. This creation is only done on one unit.
- Verify configuration is in sync. If not, sync to/from the device with the latest configuration.
- Navigate to System ›› File Management >> SSL Certificate List (For version 10 code navigate to Local Traffic >>SSL Certificate List)
- Click "Create" on the top right
 - Create a unique name for the CSR (this will be the certificate name going forward, so make it something that relates to the virtual server or certificate type) Example: outlook.clientname.com, or New_Wildcard_Cert.
- Under issuer change "Self" to "Certificate Authority"
- For Common Name, enter the common name for the Certificate. Get this info from the client. (This field is the most important field; as it is what the certificate is going to be used for and must match the domain it's going to be securing. Example outlook.clientname.com, or a wildcard would be *.clientname.com.)
- Fill out the remaining information, Division, City, State, and Key Properties (usually RSA 2048) per clients requirements. It is not required, but best practice to create a Challenge Password.
- Click "Finished". This will create the CSR and give you a link to download.
- Download CSR and send to client through a secure channel, (FTP, upload to my.snocc.net directory, etc.)
 
Importing Certificate to CSR
- Upon receiving the certificate from the client/Certificate Authority; log into the same device you created the CSR on.
- Click the name of the CSR you created.
- Import the Certificate. You can choose either to import the file or open the certificate in Notepad++ and copy then paste into the CSR.
- This will create the certificate and key pair.
- Click Finished.
- Apply new certificate to necessary SSL profiles per clients request.
- Sync standby TO device group to sync certificates to other unit(s)
- If you need to import the cert on other devices click into the certificate name, click export, and download the cert. Repeat for the key, and then go to the " Importing Certificate and Key (non CSR related) procedure to complete the import on the other units.
 
Renewing an Existing Certificate
F5 recommends creating a new CSR rather than renewing an existing certificate. Recommend to client we create a new CSR and follow the "Creating a CSR" procedure above. If client still wishes to renew existing certificate then do the following:
- Choose a standby device to renew certificate on. This renewal is only done on one unit.
- Verify configuration is in sync. If not, sync to/from the device with the latest configuration.
- Navigate to System ›› File Management >> SSL Certificate List (For version 10 code navigate to Local Traffic >>SSL Certificate List)
- Click into the certificate name the client wishes to renew.
- Export existing cert and key as precaution, and save to a temp folder on your machine.
- Click the renew link on the bottom
- Verify the information is correct. This should already be correct as it's renewing the existing, but verify anyway. It is not required, but best practice to create a Challenge Password. (If changes need to occur to the information than create a new CSR instead of renewing.)
- Click finished
- Download the newly created CSR and send to client through a secure channel, (FTP, upload to my.snocc.net directory, etc.)
- Upon receiving certificate from client/authority. Click back into the certificate your processed the renewal on.
- Click "Import" on the bottom to import the Certificate. You can choose either to import the file or open the certificate in Notepad++ and copy then paste into the certificate.
- Click finished
- Sync standby TO device group to sync certificates to other unit(s)
- If you need to import the cert on other devices; log into the device you need to import on.
- Click into the certificate name you're renewing (verify this is the correct cert!! Compare name and existing certificate contents to the one you downloaded as a precaution)
- Export existing cert and key as precaution, and save to a temp folder on your machine.
- Click "Import" on the bottom to import the Certificate. You can choose either to import the file or open the certificate in Notepad++ and copy then paste into the certificate.
- Sync standby TO device group to sync certificates to other unit(s)
 
Importing Certificate and Key (non CSR related)
- Obtain the new Certificate and Key from client. Obtain import password if cert/key is secured with one.
- Navigate to System ›› File Management >> SSL Certificate List (For version 10 code navigate to Local Traffic >>SSL Certificate List)
- Click "Import" on the top right
- Choose Certificate from dropdown. (if client provided a PKCS file choose this option this will import the cert and key together at once)
- Create a unique name for the certificate (this will be the certificate name going forward, so make it something that relates to the virtual server or certificate type) Example: outlook.clientname.com, or New_Wildcard_ clientname.com_Cert.
- Browse for the file to import or open the certificate in Notepad++ and copy then paste into the certificate.
- Click Import, then Finished.
- Click "Import" again on the top right
- Choose Key from dropdown. Create a unique Key name, matching it to the certificate name you just imported.
- Browse for the key file, or open the Key in Notepad++ and copy then paste into the key file.
- Enter password and then Import.
- Apply new certificate to necessary SSL profiles per clients request.
- Sync standby TO device group to sync certificates to other unit(s)
- Repeat on any other units as needed.

Was this article helpful?

Related Articles

Leave A Comment?

You must be logged in to post a comment.