Forum Discussion
mishpan_70054
Nimbostratus
NimbostratusRegarding SSL-offload on 6900 box (FIPS-HSM enable)
I have four 6900 boxes (FIPS-HSM enable) which are handling traffic coming from above ha pair (3900 boxs). Now if these four 6900boxes have to off-load traffic for https://abc.com, do have to generated CSR request for each box (which means four private key) for CN-abc.com? or i can generate one CSR and use the same key & certificate ?
cheer
mishpan
4 Replies
hoolioCirrostratus
Hi mishpan,
I think you should be able to join each of the 6900s into the same FIPS domain and then generate a single CSR on one unit. You could check the manual, test and/or open a case with F5 Support to confirm.
Manual Chapter: BIG-IP Platform FIPS 140 Options
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-platform-fips-administration/1.html
Aaron
mishpan_70054Thanks for reply,
but the problem here is that, as per design i con not put these 6900 under same domain. And they have to work separately.- hoolioIf you can't add the FIPS devices to the same domain then I think you'll need to generate separate CSRs on each. You could confirm this with F5 Support.
Aaron 
Eduardo_N__1674Is the FIPS external HSM's (ie a networked one like Thales) or the integrated FIPS module (these models usually end in F)?
