F5 BIG-IP LTM¶
You can provision a certificate to an existing SSL profile on your F5, or you can use TLS Protect Cloud to create a new SSL profile for you. The steps below walk you through both scenarios.
- Sign in to Venafi Control Plane.
- Click Installations > Machines.
- Click the checkbox next to the F5 BIG-IP LTM machine that you want to provision a certificate to.
- Click Provision a certificate.
-
From the Choose a certificate from the inventory field, begin typing the certificate name you want to provision. Click the certificate when you see it listed.
Verify that you've selected the correct certificate by reviewing the Subject DN, Validity, and Fingerprint.
-
In the Certificate Name field, enter the name for this certificate as you want it to appear on your F5.
What if the name is already in use on the F5?
When provisioning a certificate to the F5, TLS Protect Cloud checks to see if the name you enter in this field is already in use.
- If the name you enter isn't in use, TLS Protect Cloud will use it.
- If the name is in use, TLS Protect Cloud checks to see if it's the same certificate. If so, TLS Protect Cloud uses the certificate that is already on the F5.
- If the name is in use, but it's a different certificate, then TLS Protect Cloud creates a new certificate. A unique certificate name will be generated using a combination of the certificate name entered in this field, the expiration date from the certificate, and a unique numerical value, such as
my-cert-name_22Oct05_3117
.
-
In the Chain Bundle Name field, enter the name for the CA certificate bundle as you want it to appear on your F5.
Note
Possible scenarios and results for F5 chain CA certificates:
- If the bundle does not exist, then we create the bundle with the issuing certificates.
- If the bundle already exists and matches exactly (with the same number of issuing certificates in the same order and containing the same certificates), no changes are made to the F5. The provisioning process proceeds as if TLS Protect Cloud created it.
- If the bundle exists and has any of the three listed scenarios, the operation will fail with the error message
cannot overwrite existing certificate chain
.- (1) different issuing certificates
- (2) the same certificates but in a different order
- (3) it has the same certificates but contains additional certificates. For example, if we want to add certificates Root, Intermediate1, and Intermediate 2, but the existing bundle already includes an additional Intermediate 3.
-
From the Profile Type drop-down, select either Client SSL Profile or Server SSL Profile, depending on the type of F5 profile you're provisioning to.
-
In the Partition field, enter an F5 partition name. This partition must already exist on the F5. Leaving this field blank will default to the F5's
Common
partition.Note
The partition name is case sensitive.
-
In the Parent Profile field, enter the name of the parent profile you want to associate with the SSL Profile.
Note
If you're using an existing SSL Profile in the next step, this field will be ignored. TLS Protect Cloud will not modify the parent profile of existing SSL profiles.
-
In the SSL Profile field, enter an SSL profile name. This can be either a name that is already in use on the F5 partition, or a new name.
What happens if the name is already in use?
If the profile name you enter already exists in the F5 partition you entered previously (see step 8 above), then TLS Protect Cloud will provision the certificate to that profile. Otherwise, TLS Protect Cloud creates a new profile using the name you enter here.
-
For Client SSL Profiles, you can optionally enter an alternative DNS name for Server Name Indication in the SNI field.
Warning
If you're editing an existing SSL profile, any current Server Name value will be overwritten if you enter a value you here.
-
If you don't want the certificate to be pushed when you save, toggle the Push upon saving slider to No.
-
Click Save.
Want to schedule your provisions?
Schedule your provisions daily, weekly, or monthly. Learn more
After saving, the certificate is pushed to the F5 profile that you specified, and a installation is created on the Installations tab. If you created a new SSL profile, that profile is now ready to be assigned to a virtual server or https health monitor on the F5.