F5 Distributed Cloud – Multiple custom certificates for HTTP/TCP LB

TLS Certificate

A TLS certificate is a digital certificate signed by a trusted Certificate Authority (CA) that will authenticate the identity of the certificate owner. It is required to encrypt and secure traffic over the internet using Public Key Infrastructure (PKI).

F5 Distributed Cloud (F5 XC) had already implemented the ability to choose between automatic TLS certificate management and attaching a custom TLS certificate (aka Bring Your Own Certificate) in its HTTP/TCP load balancer configurations. Now a new feature is added enabling customers to attach multiple custom TLS certificates to a single HTTP/TCP load balancer, this will allow them to host multiple domains with different certificates from a single load balancer so that they can optimize costs or simplify configuration.

Also, now TLS certificates can be shared across multiple LBs and customers can view and manage their TLS certificates and intermediate certificate chains as standalone objects from a centralized place.

Note: This feature is supported for the HTTP/TCP LBs advertised either on Regional Edges (REs) or on Customer Edge (CE).

Configuration

Step1: Create TLS certificate object in XC console

  • Select `Shared Configuration` service from the home page of XC console.
  • Select `Certificate Management` from the left menu and select `TLS Certificates`, Click `Add TLS Certificate`.

Note: Certificate Management configuration can be done either from Multi-Cloud App Connect, Web App & API Protection, Distributed Apps, or Shared Configuration services.

  • Configure certificate properties and upload the certificate.

Note: Supported certificate formats are PEM and PKCS#12 (aka P12)

OCSP (Online Certificate Status Protocol) is used to determine the revocation state of digital certificates.  For more information on OCSP stapling follow the documentation

Certificate Chain of trust refers to all the certificates that are linked together in an ordered fashion to validate the legitimacy of the server certificate. There are 3 components in this certificate chain:

  1. Root certificate: This certificate belongs to Root Certificate Authority (CA) and are self-signed.
  2. Intermediate certificate: This certificate belongs to intermediate CA and are signed by Root CA, Intermediate CA signs the certificates on behalf of Root CA and there can be one or more Intermediate CA in a certificate chain of trust.
  3. Leaf/server certificate: This certificate belongs to the web server to establish secure connection or authenticating clients reaching to the server, this can either be signed by a Root CA or an Intermediate CA.

Above screenshot shows the list of TLS Certificates, one certificate is signed by the Root CA and is created in personal namespace (demo) while the other certificate is signed by the Intermediate CA and is created in `shared namespace` (Note: objects created in shared namespace can be used across all other namespaces).

Step2: Attach TLS certificates to the load balancer (HTTP/TCP)

Note: In this demonstration, we are attaching the TLS certificates to the HTTP LB

  • Click on `Load Balancers`, from the left menu and select `HTTP Load Balancers`.
  • Click Add `HTTP Load Balancer`,
  • Configure HTTP LB, enter valid domains as per the TLS certificates.
  • Select ‘HTTPS with Custom Certificate’ option in ‘Load Balancer Type’ field, and in ‘TLS Configuration’ select `Multiple Certificates` option.
  • Click on ‘Configure’ and attach the above created TLS certificates by keeping ‘TLS Security Level’ as `High`.
  • We have already created origin pools for our two domains and added those origin pool members to the LB with the help of ‘Routes’ as shown in the screenshots below. (Applications deployed on origin servers are httpbin and dvga)
  • You could either advertise this LB to the internet which is also a default setting or can customize it to be advertised on a CE site. For this demo we have advertised the LB to 'Internet'. Click `Save and Exit`.

Note: Each LB has a certificate expiration date, and in case of multiple certs this value is automatically set to the expiry date of its certificate which is expiring earlier.

Similarly, you can configure TCP LB as well with multiple custom TLS certificates. For more details on how to configure TCP LB refer to the document.

 

Step3: Check the server certificate details by clicking padlock next to the URL

  • Open the browser and check for the LB domains, Connection should be shown as secure.

Note: In this demo we are using local domain names and TLS Certificates, so we have manually added the custom local `Root CA` certificate to the browser and edited the hosts file to map VIP with our domain names.

When the certificate expiry date approaches near, you will be notified with alerts. You can see active alerts by navigating to `Notifications -> Alerts` section from the menu on the left side or by clicking the bell icon on top right corner of the XC console.

Based on the alerts received, you can renew the certificate expiration date and upload it again to the existing XC’s TLS cert object to reuse it instead of creating a new object.

 

Conclusion:

In the above demo, you have seen using XC console how easy it is to manage your multiple custom TLS certificates from a centralized place.

Updated Apr 19, 2024
Version 2.0
No CommentsBe the first to comment