Forum Discussion
NimbostratusMigrate SSL Certificate from backend web server to F5
Hi Experts
We have a F5 LTM 1600 LTM V11.2.1 in Active/Standby hosting multiple websites . There are 3 websites hosted on F5 having Virtual IP 172.16.2.20 running on Service port "Any" (i.e 0) .The health monitor is monitoring the traffic on backend webserver on port 80 , 2080 , 3080 .All the 3 websites are hosted on the same backend web server ; however hosted on different ports (as mentioned above).The backend webserver has SSL Certificate mapped to these websites .
The traffic from the external (internet) to the backend webserver is on SSL , with F5 just acting as bridge and therefore not able to take any decision based on iRule. Also there is lot of inconvenience which user face while browsing the website as every time they have to mention the port .The website is as follows :
a) https://www.myweb.com
b) https://myweb1.com :2080
c) https://myweb2.com:3080
Hence i would like to migrate these websites to F5 along with SSL Certificate , so that all traffic from the external (internet) comes to F5 on port 443 and then get redirected to the backend webservers on different ports . This will also allow me to put iRules for the VIP (if required in future).
Now since all the websites are having different domain and my requirement is to host the website on a single Virtual IP (Because NATTING ON Firewall can be done only on Single Public IP) ; how can i ensure on F5 that i can host all 3 websites with a single VIP and the same certificate . What kind of certificate will be required for this ?
Ankur
7 Replies
Michael_JenkinsCirrostratus
If you're using 3 different domains and trying to get them all to 1 VIP on SSL, you can use a SAN certificate with all the domains. (If you were using a single domain and then using different subdomains (e.g. app1.myweb.com, app2.myweb.com, etc..) you could look into a wildcard certificate, but that's more expensive).
For migrating the certificate, you can export the cert from your web server (make sure you include the private key), and then you can import it into the F5. You'll need to make sure you import any necessary certificate chains/bundles as well onto the F5.
From there, you'll need to create a clientssl profile on the F5 to assign your VIP, make sure the port number on the VIP is 443 (or whatever port's on your cert), and test.
If you want ssl from the F5 to the back end server as well, you'll need to set up a serverssl profile on the VIP (though I think you can usually just use one of the default serverssl profiles without creating a new one).
Hope this helps.
Ankur_5273Hi Michael,
Thanks a lot for the reply . I would like to ask if i can create 3 Different CSR on F5 LB and send it to CA asking for SAN Certificate ? Currently the certificates are on backend webserver and certificate validity is going to expire soon .Hence i would like to create CSR on LTM for the
Also can u tell me if your below statement holds true in case i am going to create CSR for 3 websites on LTM ?
"For migrating the certificate, you can export the cert from your web server (make sure you include the private key), and then you can import it into the F5 "
Ankur
- Michael_Jenkins
I think SOL13471 may answer your question. If you're doing the CSR from the F5, then you shouldn't need to export from the web server. (In my environment, we've sometimes just moved certs to the F5, so had to export and import. May not be applicable in your case)
- Ankur_5273
Hi Michael
Thanks for the link .I will generate CSR as per sol13471 ; however i also happen to go through sol13770
(sol13770: The BIG-IP system fails to include the Subject Alternative Name extension while generating a CSR) .
Can you please suggest if sol13770 would hamper my CSR creation on LTM or not going to effect in my scenario . I was also unable to get the meaning of word "extension " in SAN Extension . Can you please let me know about same ?
Ankur
- Michael_JenkinsIt looks like the issue in SOL13770 was fixed in version 11.3.0, so if you're using a newer version than that, you should be fine. Otherwise, it may pose a problem, since you will be adding additional names (I think what it means by extensions is properties... Not 100% sure, but that's my guess. and the Subject Alternative Name list is a property) It that's the case, you may want to follow the link to SOL11438 and create the CSR that way.
- Ankur_5273
Hi Michael
Just to reconfirm once more , the URL of the actual websites are totally different from each other .They donot have even domain common among them (the below mentioned URL are just examples) . Can you reconfirm if SAN certificate would be fine for my requirement of hosting all websites with a single VIP on F5 along with single SAN certificate ?
a) https://www.myweb.com
b) https://myweb1.com :2080
c) https://myweb2.com:3080
Ankur
- Michael_JenkinsWe use wildcard certs in our environment, but based on this site (https://www.digicert.com/unified-communications-ssl-tls.htm), I would think it'd work for you. I'm not sure about the different ports though. Haven't dealt with that before.
