Before you begin
- Never share private keys files.
- If you plan on using the same certificate on multiple servers always transfer the private key using a secure method (e-mail is not considered a secure method of transfer).
- It is best practice to ensure that you have current and up to date Ciphers and Protocols to ensure the best security when deploying a new Private key and Server Certificate.
- Make sure you run the SSL Server Test at the end of the installation process to check your certificate configuration against SSL/TLS Best Practices.
- For more information on SSL/TLS Best Practices, click here.
Installing your Entrust SSL/TLS Certificate on F5 BIG-IP
1. Click the Download button in the pickup wizard to download your certificate files. Clicking the download button will produce a a zip file that contains the following files:
- ServerCertificate.crt: Your signed SSL/TLS certificate
- ChainBundle1.crt: The Entrust Certificate chain bundled in a single file
2. Launch the F5 BIG-IP web GUI.
3. On the Main tab, expand Local Traffic.
4. Click SSL Certificate to display the list of existing certificates.
5. In the upper right corner, click the Import button.
6. From the Import Type drop down, select Certificate.
7. In the Certificate Name field, enter EntrustChain. In the Certificate Source box, browse to the location of the ChainBundle1.crt file.
8. Click Import. The new certificate should appear in the list as EntrustChain.
9. Click SSL Certificate to display the list of existing certificates.
10. Click the name you assigned to the certificate when you created your Certificate Signing Request.
11. Click Import.
12. Enter a friendly name for your certificate in the Certificate Name field. In the Certificate Source box, browse to the location of the ServerCertificate.crt file that you downloaded in step 1. Click Import.
13. The Server Certificate and Key should now appear in the list.
14. On the Main tab of the F5 BIG-IP interface, expand Local Traffic and click on Profiles.
15. In the top menu bar, click on SSL > Client.
16. Create a new SSL Profile by clicking Create or open an existing SSL profile that has already been setup.
17. From the Configuration drop down, select Advanced.
18. In the Configuration section, check the Custom box
19. Under Certificate, select your Server Certificate. It will appear with the friendly name you provided in step 12.
20. Under Key, select the name of the Key from the drop down. This key was generated when you generated your Certificate Signing Request before your requested your certificate.
21. Under Chain, select EntrustChain that was imported in step 8 from the drop down.
22.Scroll to the bottom of the page and click Finished or Update to save the configuration.