Forum Discussion
Mic_108850
Altostratus
AltostratusHTTPS and SSL certificate for 2 BIG-IPs
Hi,
I have 2 BIG-IPs in differents locations (they are configured in Symetrical deployement mode)
BIG-IP 1:
VS_a1.test.domain.com (https)
with Pool (ip1:443)
ip1 uses an SSL certificate
for a1.test.domain.com i have a specific SSL certificate on BIG-IP1
BIG-IP 2:
VS_a2.test.domain.com (https)
with Pool (www.domain1.com:443)
for a2.test.domain.com i have a specific SSL certificate on BIG-IP2
If i activate multiconnect mode on BIG-IP1 and 2 i will have
https://wa1.a1.test.domain.com
https://wa2.a1.test.domain.com
on the other one:
https://wa1.a2.test.domain.com
https://wa2.a2.test.domain.com
what is the best solution to use SSL certificate with multiconnect? can i use the same wildcard certificate on both BIG-IP for each VS_a1.test.domain.com and VS_a2.test.domain.com
or is there a better solution?
Thanks
4 Replies
HamishCirrocumulus
For test domains you could just use self-signed certs... Cheaper (i.e. free). The only down side with using the same wildcard cert across multiple devices is having to keep the keys and certs sync'ed across multiple devices, and you don't want to share your CA signed certs across TOO many devices (The more it's shared, the less secure it'll be. Especially if you have to swap boxes out for repair etc and the HD is returned or swapped out etc.
H
Michael_YatesNimbostratus
Mic,
I've done exactly what you are talking about across multipe F5 Pairs with Wildcard SSL Certificates and haven't had any problems in the past.
I can't say that I've ever had the problem that Hamish is describing, although you can never be too safe. We've thought of the Security aspects of having the SSL Certificates on the F5's and we actually use them as a storage repository for SSL Certificates that are created and not used on the F5's (so that we can keep track of them in case the server has a failure).
In the event of an F5 RMA (which in 4 years I've only had to do one, and that was an SSL Accelerator Card Failure) you can retrieve and then delete all of the current SSL Certicates that reside on an F5 to keep them secure in your companies hands.
They are located in the following directories:
/config/ssl/ssl.crl
/config/ssl/ssl.csr
/config/ssl/ssl.key
/config/ssl/ssl.crt- HamishAs far as I am aware there is no secure delete facility on the F5's... WHich means even if you do rm the files, they're still there...
Just as a further note, you CAN purchase the drive (And then remove it before you send it back. It's an option in your support IIRC)... But it's expensive...
For horror stories, just google it... A while back there were several articles where people (researchers) had purchased devices (Not just F5's) and discovered certs on them (And other data). Best to be paranoid around keys.
H 
hoolioCirrostratus
Assuming the unit still boots, I wonder if you could use a utility like DBAN to securely wipe the HDD before returning a defective unit for an RMA.
http://www.dban.org/faq/burning
http://www.pendrivelinux.com/install-dban-to-a-usb-flash-drive-using-windows/
Else, F5 can allow you to keep (or have them securely destroy?) the drives for an extra charge. Or if you have a decent chunk of money to spend, you could go for a FIPS card to securely store the SSL private keys without worry that they can be exported. FIPS is only supported on the higher end models though.
Aaron
