Shulou(Shulou.com)06/01 Report--

Description of files in several formats:

Csr-- > the file generated on F5. Contains domain name, company name, department name, city, mailbox and other information.

Crt/cer-- > public key, certificate file, issued by the authoritative certificate authority.

Key-- > private key, which is generated with csr and used in pairs.

Example:

Certificate chain (tree structure containing certificates, traced back to the root certificate authority)

2 certificate testworthy wosign.com.crtmuri-> public key (certificate authority uses private key to sign your csr)

3The private key (used with the public key)

A brief introduction to SNI features:

The SNI function enables an ip address to correspond to multiple domain names and bind different certificates. The F5 version is required in v11.1.0 to support it.

Screenshot description:

Device model F5-1600 system version 10.2.4

First, create csr files, backup certificates and private keys

Create a csr file:

Choose whether to self-issue:

Back up the certificate and private key:

II. Installation certificate

Paste the contents of the certificate issued by the certificate authority (including "- BEGIN CERTIFICATE-" and-END CERTIFICATE- ") into notepad and save it as a server.cer file.

Install the certificate file:

Status after successful import:

Add certificate chain:

Paste all certificate contents from BEGIIN to END in the certificate issuance email into notepad, separated by carriage return line feeds. Modify the extension to ca-bundle.cer file

Configure profile associated certificate

There are two kinds of server certificates, one is F5 and the client certificate SSL-Client

One is the certificate SSL-Server of F5 and backend server.

F5 to the client is generally considered unsafe, so the certificate is used. F5 to the back-end server is generally considered secure and generally does not need a certificate.

Parent Profile: trust the same root certificate. Multiple domain names corresponding to one ip requires F5 system version 11.0

When you are finished, select Update to save. After the certificate is successfully configured, you need to create a Virtual Server with port 443 and load the above Client SSL Profile to enable the SSL certificate for the site.

IV. Configuration of two-way authentication

In the two-way authentication part, the client is required to show the client's personal certificate in order to log on to the specified page. If the client is not forcibly authenticated, there is no need to configure the two-way authentication section.

The following needs to be configured for two-way authentication:

Trusted Certificate Authorities: the root certificate of the client certificate

Client Certificate: there are two modes to choose from

Require: the client must submit a certificate, usually using this method

Request: the client may or may not submit a certificate

Advertised Certificate Authorities: the information that the server sends to the client when the client connects, which causes only the client certificate issued by the selected root certificate to be included in the client pop-up certificate selection list. If there is an intermediate certificate, please select the certificate chain.

After you have completed the import of the certificate and the setting of the profile, you need to configure the Properties under Virtual Server, bundle the virtual service address with the Profile just generated, and click Update to complete the certificate configuration.

The logical relationship between them is that the certificate is bound to the profile file and the virtual service invokes the profile file.

Attach links to related documents on F5's official website:

Https://devcentral.f5.com/articles/ssl-profiles-part-7-server-name-indication

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.