Implementing SSL Orchestrator - Guided Configuration

Introduction This article is part of a series on implementing BIG-IP SSL Orchestrator. It includes high availability and central management with BIG-IQ. Implementing SSL/TLS Decryption is not a tr...
Published Jan 10, 2020
Version 1.0
BIG-IP
decryption
guided configuration
Security
series-big-ip-ssl-orchestrator
service chain
SSL Orchestrator
topology
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Feb 12, 2020

Mostly correct. There are three primary reasons for exposing the Certificate Key Chain control in the UI:

  • Allowing you to specify your own template key. The built-in 'default.key' is an RSA2048/SHA256 key that is auto-generated when the BIG-IP system is installed, so will be globally unique in hardware platforms, but may be duplicated in virtual environments if the VE is cloned.
  • Allowing you to insert the template key into a hardware security module (HSM) solution. Server certificates (re)issued by the local CA cert/key are ephemeral (short-lived, in-memory only), so the security impact here is negligible. However for some environments where 'all' keys must be stored in an HSM, this option makes that possible.
  • Allowing you to specify multiple types of certs - for example RSA and ECC. In this way, if a client negotiates ECDHE with SSLO, SSLO can issue an ECC server cert.