F5 Big-IP

Save your previous configuration

If you currently have a digital certificate installed on the Big-IP for a certain host, and you want to put a new digital certificate on that host, we recommend backing up the entire configuration in the event that there is an issue later on.

To backup your current configuration, run the following command as the root user:

# bigpipe config save yourwebsite.com-backup10-03-2005

The backed up configuration should be in the /usr/local/ucs/Setup_backup.ucs file. Save that file to another location outside of the Big-IP so that you can restore it if necessary. Also, copy your key, csr, and crt files in /config/bigconfig/ so that they end with .backup. After you have copied them to their new names you should remove them from the folder to make room for the new csr, key, and crt files.

Create a new SSL/TLS configuration

Before creating the new CSR and key, you will need to create a new SSL/TLS configuration file by running the following command:

# /usr/local/bin/genconf

When you run this command, the Big-IP will ask for your company information. When you enter that information, please keep a few things in mind:

Certificate Information Guidelines

Location - Enter the location where your business operates, not where your server is located. If you are an international customer in a country without a State/Province or City/Locality, leave those fields blank.

  • Country Name - Enter the two letter International Organization for Standardization (ISO) abbreviation of the country where your organization is legally located.
  • State/Province - Spell out the entire name of your state or province. For example, if your business operates in Texas, enter "Texas" and not "TX".
  • City/Locality - Spell out the entire name of your city or locality.

Organization - Enter the full, unabbreviated legal name of your business. Include any applicable suffix, such as "Inc" or "LLC". If your company name is registered in an abbreviated form, then you may use that abbreviation if you want.

Organizational Unit - This field will not be included in your certificate, so you can leave it blank.

Common Name - Enter the web address of your site. It must be a fully qualified domain name. Both www.yourdomain.com and yourdomain.com are acceptable. Do not include http:// or https://. When ordering a wildcard Server Certificate, you will use *.yourdomain.com

Email Address - Enter the address of the person responsible for digital certificates in your organization. This field is optional.

Generate the Key and CSR

Run the following command to generate a new certificate request:

# /usr/local/bin/genkey www.yourdomain.com

Be sure to replace www.yourdomain.com with the actual hostname of your host. You will be prompted again for your company information during this step.

Protect your new private key for a digital certificate

  1. Never give this file to anyone outside your company. Also restrict the access to it to the smallest possible group of employees.
  2. When you get your certificate, you must install this private key in a secure folder that has limited access to a root user and is protected with read-only permission.
  3. Backup your private key. There is no way to recover it if it is lost. Protect that backup with additional security such as an encrypted or password-protected backup. Your private key is integral to the digital certificate process.
  4. If you suspect that your private key is compromised, alert VikingCloud™ immediately. VikingCloud will revoke your certificate so that you can generate a new private key and CSR. You can then submit the new CSR for VikingCloud to reissue your certificate.

After the genkey command is complete, you will have a CSR in the file /config/bigconfig/ssl.csr/www.yourdomain.com.csr. Move that file to a computer that can access the VikingCloud™ Control Center (we recommend using FTP to move the file).

Submit the CSR to VikingCloud

Now navigate to the location of your saved CSR and open it with a suitable text editor such as Notepad, TextEdit, or vi. Copy the entire text - including the top and bottom dashed lines. You can paste this text directly into the VikingCloud Control Center - Submit your CSR to proceed to validation.