Forum Discussion

Kesha_50406's avatar
Kesha_50406
Icon for Altostratus rankAltostratus
Aug 13, 2013

F5 BIG-IP WebGUI intermediate certificate

I don't see how I can install an intermediate certificate for the F5 BIG IP management WebGUI. The device seems to be using the "Device Certificate" (under System > Device Certificates) for its management WebGUI. Is there an SSL profile that can be used to configure the certificate chain for the WebGUI, or is it something not supported?

 

I tried concatenating the device's certificate with the signing certificate (the intermediate certificate) in PEM format and installing that. It works in a sense that the device now shows two certificates in "Device Certificate"/"General Properties", yet if I point the browser to it the device returns only one certificate as part of the SSL handshake for the management WebGUI, the signing certificate gets dropped for some reason.

 

Thanks Kesha.

 

BIG-IP Access Policy Manager (APM)
management
security

12 Replies

Sort By
Show More
  • Kesha_50406's avatar
    Kesha_50406
    Icon for Altostratus rankAltostratus
    Mar 27, 2014

    Thank you! This is definitely better than modifying the httpd config files

     

  • dragonflymr's avatar
    dragonflymr
    Icon for Cirrostratus rankCirrostratus
    Mar 25, 2015

    Hi,

     

    Old post but helpful! Still I am not sure what are necessary for this scenario:

     

    • Stand alone BIG-IP
    • private root CA, no intermediates
    • Device certificate signed by CA

    My guess is that I have to:

     

    • Import device cert and key using System ›› Device Certificates : Device Certificate ›› Device Certificate Import (seems that key should be set without password) - that is obvious. Probably should be done as second step after using Trusted Device Certificates Import?
    • What next?
    • Import private CA cert using Trusted Device Certificates Import with Replace option (right now there is self-signed cert generated automatically during setup), is there any reason to use Append in such situation?
    • Copy private CA cert to /config/httpd/conf/ssl.crt/ folder
    • Use tmsh modify sys httpd ssl-certchainfile conf/ssl.crt/privateCA.crt - is this step really necessary? What is difference between this step and step with Trusted Device Certificates? Should ssl-certchainfile be used or ssl-ca-cert-file can be used when no chain file is necessary?

    Piotr