Introduction This article is part of a series on implementing BIG-IP SSL Orchestrator. It includes high availability and central management with BIG-IQ. Implementing SSL/TLS Decryption is not a tr...
Mostly correct. There are three primary reasons for exposing the Certificate Key Chain control in the UI:
Allowing you to specify your own template key. The built-in 'default.key' is an RSA2048/SHA256 key that is auto-generated when the BIG-IP system is installed, so will be globally unique in hardware platforms, but may be duplicated in virtual environments if the VE is cloned.
Allowing you to insert the template key into a hardware security module (HSM) solution. Server certificates (re)issued by the local CA cert/key are ephemeral (short-lived, in-memory only), so the security impact here is negligible. However for some environments where 'all' keys must be stored in an HSM, this option makes that possible.
Allowing you to specify multiple types of certs - for example RSA and ECC. In this way, if a client negotiates ECDHE with SSLO, SSLO can issue an ECC server cert.