Forum Discussion
NimbostratusRSA Certificate & Key question
I have F5 box, I have installed 3 SSL profile like *.cn, *.com and *.ru.
When I see F5 configuration, I see there are one id_rsa and onr id_rsa.pub keys.
Just I need to clarify, those files contains all 3 private and 3 public keys, or I need to save more keys from other location.
Please mind, I am new to F5, just few months experience.
5 Replies
- Kevin_Stewart
Employee
No, don't think so.
id_rsa and id_rsa.pub are typically how SSH public/private keys are stored. Assuming you're creating client SSL profiles for TLS traffic, those certs are loaded under System ›› Certificate Management : Traffic Certificate Management : SSL Certificate List.
AmrishinwebSorry for misinformation.
I have created profiles, uploaded certificates as well. There are many profiles and for them, I have uploaded total 3 certificate like abc.com, xyz.cn and mno.ru.
When we upgrade the software, we download the keys id_rsa and id_rsa.pub and then upload after upgrade.
I need the clarificatiion what those files contains. As per me, those files contains keys for all three certificate private and public keys. is it true or what os in those two files?
- Kevin_Stewart
Just cat the files to see what's inside.
cat id_rsa cat id_rsa.pubMy guess is you'lll see a single SSH cert and single SSH key, which is not what you're looking for. These are normally key file you'd use to SSH remote into a machine.
The TLS certificates you import for client SSL profiles are generally stored in the file system and will have a .crt or .cer extension.
- Amrishinweb
You are right, there is only single BEGIN RSA PRIVATE KEY- in id_rsa and single public key in id_rsa.pub.
Could you please just let me know where do we use those keys as we use Active directory credentials to login to F5. Just write the purpose of those keys or any article, where I can read about them and we can close this topic.
Thanl You.
- Kevin_Stewart
Sure. The questions asked were to attempt to understand the challenges. id_rsa keys are not used for TLS traffic, so you would not apply these to BIG-IP SSL profiles. You would normally use this type of key for SSH remote access to some system. You could also see these keys used in an AFM SSH proxy configuration:
- https://support.f5.com/csp/article/K27335364
- https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-network-firewall-policies-and-implementations/afm-protocol-security/ssh-protocol-security/authenticating-ssh-proxy-traffic/defining-ssh-proxy-password-or-keyboard-interactive-authentication.html
You might have also used id_rsa keys for SSH public key auth to the BIG-IP: https://support.f5.com/csp/article/K13454
Here's some additional information you might find useful regarding TLS certs/keys:
- BIG-IP SSL administration: https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-system-ssl-administration.html
- Overview of client SSL profiles: https://support.f5.com/csp/article/K14783
- Overview of server SSL profiles: https://support.f5.com/csp/article/K14806
- Managing BIG-IP SSL certificates and keys: https://support.f5.com/csp/article/K17379
Otherwise, AD remote user logon (to the BIG-IP) does not use id_rsa (SSH) keys: https://techdocs.f5.com/en-us/bigip-17-0-0/big-ip-systems-user-account-administration/remote-user-account-management.html
