F5 SSL Certificate Renewal Runbook
1 F5 SSL Certificate Renewal Theory
1.1 What is SSL?
1.2 What is an SSL certificate?
1.3 What is PKI?
1.4 What is a root certificate?
1.5 What is an intermediate certificate?
1.6 SSL termination
1.7 What is an SSL client profile?
1.8 What is a parent profile?
2 Process Images
3 Prechecks
4 Process Images
5 F5 SSL Certificate Renewal Process Steps
F5 SSL Certificate Renewal Theory
What is SSL?
SSL, or Secure Sockets Layer, is the industry standard technology for building an encrypted channel between a client's browser and a website's web server. This link ensures that all data passed between the end user and the web server is encrypted and private. This encrypted channel enables website owners a process to protect their customer's confidential and sensitive information such as credit card numbers, social security numbers, account information, passwords, etc. SSL also ensure that the data remains unchanged and untampered while it is in transit. An SSL encrypted link between the client's browser and website's web server is built using an SSL certificate.
What is an SSL certificate?
An SSL certificate, also known as a digital certificate, is a small, unique data file that binds an organization's identity with an RSA private key.There are sections of an SSL certificate: the certificate data, the signature algorithm, and the signature. The certificate data field includes the version, serial number, signature algorithm, validity, subject and issuer, public key, and extensions. The subject and issuer field is one of the more common fields that we will look at in Network Security. It includes the CSR Required information such as common name, alternative name, organizational name, and organizational location.
What is PKI?
PKI, or Public Key Infrastructure, is the defined process used to manage SSL certificates. The purpose of PKI is to facilitate secure communication for transactions occurring over the internet. Common use cases include e-commerce, online banking, and user log in pages.In PKI, unique SSL certificates are created and binded to the identity of an organization's details. These SSL certificates that are binded to an organization's details are referred to as a public certificate.In asymmetric PKI cryptosystems, a dedicated public key is used to encrypt the communication while a dedicated private key is used to
decrypt that communication.Public certificates, or public keys, are widely disseminated. They are presented to web clients as they navigate to a web server's web page over HTTPS. The public key is used by web browser's to encrypt the electronic communication that is being transmitted to the web server. RSA private keys are as the name insinuates, private. Only the owner knows the contents of this key. This is the key used to decrypt the encrypted web traffic. If this key is not kept secure, the website can be compromised and exposed through man in the middle style attacks. Warning - Protect the RSA Private Key For the safety of our customers, never place the RSA private key in a public ticket comment, email, or any other form of public
What is a root certificate?
A root certificate, or a Certificate Authority (CA) certificate, is a public self-signed digital certificate that identifies a root certificate authority. Acertificate authority is the governing entity that issues and signs certificates. There are 4 certificate authorities that secure 90% of the internet today: GlobalSIgn, Go Daddy, Comodo, and Symantec (GeoTrust). Root certificates provide a trust anchor for the world. In cryptographic systems, a trust anchor is built from authoritative entities, such as certificate authorities, and provides trust to the world on an assumption basis instead of a derivative basis. This means that you trust the trust anchor, you will assume the trust of anything it deems to be trustworthy. There are of course systems in place to prevent the compromise of certificate authorities. An example of the theory of a trust anchor in use can be demonstrated by looking at the preferences in your internet browser. By default, all client browsers inherently trustcertificate authority's root certificates.
PKI is based on a chain of trust. This chain of trust is the mechanism that verifies the validity of CA certificates. Root certificates are the foundation of the Public Key Infrastructure cryptosystem and are the top-level certificate that start the chain. Subordinate certificates are created from the root certificate in the form of a tree structure. These subordinate certificates are called intermediate certificates.
What is an intermediate certificate?
An intermediate certificate is a subordinate certificate issued by the trusted root certificate authority. The intermediate certificate issues a certificate used for client's unique website that exists on the server. This unique website that is owned by the server is also known as an end-entity. The process builds a certificate chain that begins at the trusted root CA, through the intermediate certificate, and ending with the SSL certificate issued to a client and their unique common name. Certificate Authorities also use intermediate certificates because they can provide extra features and enhanced levels of security.
When a certificate is issued from the intermediate, it is called a chained root certificate. The intermediate certificate is required to complete the chain of trust. Chained root certificates are very common because they reduce the risk vector of compromise for the certificate authority's root certificate. The risk vector is reduced because the root certificates key is stored and remains offline. Remember, if the CA's root certificate is compromised, the entire trust infrastructure built by the SSL provider will fail. Because of this, chained certificate authorities provide an added level of security.
SSL termination
Load balancers have the ability to control and manage SSL traffic. One of the many aspects of SSL management is the ability to offload the SSL encryption and decryption from the back-end servers to the load balancer. The advantage to terminating SSL traffic at the load balancer is that it offloads the server requirements to perform encryption and decryption for every packet they send and receive. This results is a large performance boost for the back-end servers and allows them to focus their resources on handling client traffic. Another advantage is giving the load balancer the ability to see the payload of the application data. This enables the load balancer to make modifications to the application payload or to make intelligent decisions based on that data. F5 Load balancers have dedicated SSL modules and are specifically built to handle SSL encrypt/decryption processing. In order for a load balancer to terminate SSL traffic for a website, the SSL certificate and matching
RSA private key are both required. The cert and key are uploaded and added to the load balancers in the form of a profile.
What is an SSL client profile?
An SSL client profile is the configuration element that stores the reference certificate, RSA private key, and intermediate cert. The SSL client profile stores these references in another configuration element called a certificate keychain. In SSL termination, client-side refers to communication that occurs between the client on the internet and the load balancer, while server-side refers to the load balancer and the
back-end server resources. Most customers accept having the load balancer terminate SSL traffic on the client-side and allowing server-side communication to exist as unencrypted. Other customers, or a compliance they are required to follow, do not allow for that. In those cases, in documentation/communication. You may only place the RSA private key in a public ticket comment if the customer explicitly asks for this and they are/have been approved by the account admin. order for the load balancer to have the SSL termination advantages, a client-side SSL profile can be created to decrypt the traffic as it comes into the device, and a server-side SSL profile can be used to re-encrypt the data as it leaves the load balancer to the back-end servers. Other common values that can be defined in an SSL client profile include the parent profile, ciphers, and SNI.
What is a parent profile?
When a client SSL profile is created, a parent profile field is required. The parent profile is an existing profile that is used as the default values that will be inherited to the new client SSL profile if those options are left unmodified. It is common for our customers to use a unique parent profile with specific cipher configuration in it so that their sites negotiate only using certain cipher suites. The Big-IP F5 load balancer uses a very robust set of cipher suites as its default. Many times, this default list includes cipher suites that are not highly secure which may break some of our customer's required compliances.
#这里是一个创建 VIP SSL offloading 的例子
#关于公钥私钥Certification的管理下次再聊
1. Import the Certificate, Key, and Intermediate certificate.
======
Navigate to System > File Management > SSL Certificate > Click the Import button.
Under SSL Certificate/Key Source
Import Type: Key
Key Name: testdigital.com-2019
Key Source: Chose the file
Click the import button.
==
Navigate to System > File Management > SSL Certificate > SSL Certificate List> Select "testdigital.com-2019"
Under General Properties > click the Import button
Under SSL Certificate/Key Source
Certificate Source: Locate the file
Click the Import button.
==
Profile -> ssl -> Client
Create
Name: testdigital.com-2019
Certificate Key Chain:
Certificate: testdigital.com-2019.crt
Key: testdigital.com-2019.key
Chain: GeoTrust_SSL_**_2018
Click Finish
3. Create the HTTPS Virtual Server "testdomain-443"
======
Navigate to Local Traffic > Vistual Servers > click the Create button
Under New Vistual Server > General Properties
Name: testdomain-443
Source: 0.0.0.0/0
Destination: 10.20.110.225
Service Port: 443 / HTTPS
Configuration:
HTTP Profile: x-forwarded-for
SSL Profile (Client): select "testdomain"
Source Address Translation: Auto Map
Resources:
Default Pool: "test-pool"
Click the Finished button
======
4. Create the HTTP Virtual Server "testdomain-80"
======
Navigate to Local Traffic > Vistual Servers > click the Create button
Under New Vistual Server > General Properties
Name: testdomain-80
Source: 0.0.0.0/0
Destination: 10.20.110.225
Service Port: 80 / HTTP
Configuration:
HTTP Profile: http
Resources:
iRules: http_to_https
Click the Finished button
#最后输入你的域名或者VIP来查看SSL是否安装成功。
#SSL这一块是一个很大的领域, 以后多写这方面的文章
https://www.sslshopper.com/ssl-checker.html
#推荐
https://techmusa.com/ssl-deploment-f5-lbr/