Installation Instructions for BIG-IP F5 version 9.x and 10.x

General Information ID:    INFO165    Updated:    01/30/2017

Description


To install the Symantec SSL certificate for Big-IP F5 Version 9.x and 10.x, please follow the steps below. If you are unable to use these instructions for your server, Symantec recommends that you contact either the vendor of your software or an organization that supports F5 BIG-IP server.
 
Step 1. Download the Intermediate CA Certificate
  
  1. Download the Intermediate CA certificate from this link: INFO657
    Select the appropriate Intermediate CA certificate for your SSL Certificate type.


    NOTE: If you are unsure of which product you have purchased, please review the following knowledge base solution: SO13499
     
  2. Copy the Intermediate CA certificate and paste it on a Notepad.
     
  3. Make sure there are 5 dashes to either side of the BEGIN CERTIFICATE and END CERTIFICATE and that no white spaces, extra line breaks or additional characters have been inadvertently added.
     
  4. Save the file as intermediate.crt 
     
  5. Save the file to the following location: /config/bigconfig/ssl.crt/intermediate.crt 

    NOTE: In a redundant system, the keys and certificates must be in place on both controllers before you configure the SSL Accelerator.
    You must do this manually as the configuration synchronization utilities do not perform this function.


 Step 2. Install the Intermediate CA Certificate

  1. Log in to the Configuration utility. 
     
  2. Click Local Traffic.
     
  3. Click SSL Certificates.
     
  4. Click Import.
     
  5. Select Certificate from the Import Type menu.
     
  6. Click the Create New option.
     
  7. Type a unique name for the Certificate Name.
     
  8. Click Browse and navigate to the file you saved as intermediate.crt.
     
  9. Click Open.
     
  10. Click Import.  
 
Step 3. Obtain the SSL Certificate
 
  1. The Symantec certificate will be sent by email. The certificate is included as an attachment (Cert.cer) and it is
    also imbedded in the body of the email. 
     
  2. Copy and paste the certificate into a text file using Vi or Notepad.
    Do not use Microsoft Word or other word processing programs that may add characters.

    The text file should look like:
    -----BEGIN CERTIFICATE-----

             [encoded data]

    -----END CERTIFICATE-----

    Make sure there are 5 dashes to either side of the BEGIN CERTIFICATE and END CERTIFICATE and that no white space, extra line breaks or additional characters have been inadvertently added.
    The certificate can be also downloaded from the Symantec Trust Center by following the steps from this link: SO8061

    NOTE: When downloading the certificate, please select X.509 as a certificate format and copy only the End Entity Certificate.
     
  3. Save the file with extension .crt
 
Step 4. Install the SSL Certificate 
 
  1. In the navigation pane, click Proxies.
     
  2. On Proxies screen, click the Install SSL Certificate Request tab. The Install SSL Certificate screen opens. 
     
  3. In the Certfile Name box, enter the fully qualified domain name of the server with the file extension .crt. If you generated a temporary certificate when you submitted a request to Symantec,
    you can select the name of the certificate from the drop down list. This allows you to overwrite the temporary certificate with the certificate from Symantec.
     
  4. Paste the text of the certificate into the Install SSL Certificate window. 
     
  5. Click Write Certificate File to install the certificate. After the certificate is installed, you can continue with the next step in creating an SSL gateway for the server.
     
Step 5. Establish the trust chain
 
         NOTE: The proper Intermediate CA certificate must be set to ensure a complete chain of trust.
 
  1. Log in to the Configuration utility. 
     
  2. Click Local Traffic.
     
  3. Click Profiles.
     
  4. Select Server from the SSL menu.
     
  5. Select the Server SSL profile to configure.
     
  6. Select Advanced from the Configuration menu.
     
  7. Select the appropriate chain certificate from the Chain dropdown box.
     
  8. Click Update.
    NOTE: Please refer to the screenshot of the F5 Big-IP interface


     
  9. To verify if your certificate is installed correctly, use the Symantec Installation Checker
     

F5 Support

         For additional information refer to F5's KB solution: SOL6401

 

Contact Support

Find Answers

Languages

This article is available in the following languages: