bg-tutorials

How to Generate a CSR on F5 products

This guide shows you how to generate a CSR (Certificate Signing Request) on F5 BIG-IP.

The same workflow covers every BIG-IP module that terminates TLS (LTM, APM, GTM/DNS, ASM/Advanced WAF), since they all share the TMOS certificate store. The main path uses the BIG-IP Configuration utility (TMUI); a short section near the end shows the equivalent tmsh command for anyone who prefers the CLI, and a separate legacy section covers F5 FirePass SSL VPN.

The BIG-IP private key is generated and stays on the device throughout the process: you only ever send the CSR to your CA. When the signed certificate comes back, you import it against the same SSL Certificate entry so the key and certificate stay paired. For the end-to-end installation flow after the certificate is issued, see how to install an SSL certificate on F5 products.

Generate a CSR on F5 BIG-IP

The steps below apply to BIG-IP 13.x, 14.x, 15.x, 16.x, and 17.x using the Configuration utility, and to the new BIG-IP 21.x branch released in November 2025 (BIG-IP 21.x carries forward the TMOS workflow from 17.x). On BIG-IP 12.x and earlier, the menu path is different (called out in Step 1).

Step 1: Open the SSL Certificate List

  • Log in to the BIG-IP Configuration utility (TMUI) as an administrator.
  • On BIG-IP 13.x and later, go to System > Certificate Management > Traffic Certificate Management > SSL Certificate List.
  • On BIG-IP 12.x and earlier, go to System > File Management > SSL Certificate List.
  • Click Create in the upper-right corner. The New SSL Certificate dialog opens.

Step 2: Name the certificate and pick the issuer

  • Under General Properties, enter a unique Name for the SSL certificate (BIG-IP uses this name internally to track the key and the matching certificate). Use something descriptive such as www_example_com_2026.
  • Under Certificate Properties, from the Issuer drop-down list, select Certificate Authority. This is the option that produces a CSR for an external (public) CA to sign; Self would generate a self-signed certificate instead.

Step 3: Fill in the certificate subject and SAN

Use only standard ASCII characters; non-Latin letters break the request. Fill in the fields as follows:

  • Common Name: the fully qualified domain name (FQDN) you want to secure, for example www.example.com. For a wildcard certificate, put an asterisk in front of the apex domain, for example *.example.com.
  • Subject Alternative Name: list every hostname the certificate must cover, comma-separated, each prefixed with DNS: (or IP: for an IP SAN where the CA allows it). For example: DNS:www.example.com, DNS:example.com, DNS:api.example.com. Include the Common Name here too; modern clients (Chromium, Firefox, Safari, .NET, Java, Go) validate the hostname only against the SAN extension, and a missing SAN is the most common reason for a CSR to be rejected or to fail browser trust after issuance.
  • Division (Organizational Unit): leave blank. The OU attribute has been deprecated by the CA/Browser Forum and most public CAs strip it from issued certificates.
  • Organization: the full legal name of your company, exactly as registered, for example GPI Holding LLC. Required for OV and EV certificates. For Domain Validation (DV) orders this field is ignored, so any short placeholder is fine.
  • Locality: the full name of the city where your organization is registered (for example Seattle, not SEA).
  • State or Province: the full state or province name (for example Washington, not WA).
  • Country: select your country from the drop-down list (BIG-IP writes the two-letter ISO code into the request, for example US, GB, DE).
  • E-mail Address: optional; a contact address that goes into the CSR. Most public CAs ignore this field and use the email on the order instead.
  • Challenge Password: leave blank unless your CA specifically asks for one.

Step 4: Choose key type and key size

  • Key Type: select RSA for a standard public certificate (the choice every public CA supports). Use ECDSA only if your CA confirms the order profile supports it and you have a specific reason to prefer it.
  • Key Size: select 2048. That is the current minimum every public CA accepts. Pick 3072 or 4096 only if your policy requires a larger key; the trade-off is a slightly slower TLS handshake.
  • Security Type: leave the default (Normal) unless your environment uses FIPS or an external HSM, in which case pick the corresponding option so BIG-IP generates the key in the right keystore.

Step 5: Finish and generate the CSR

Verify every field, then click Finished. BIG-IP generates the private key inside the device key store, creates a matching PKCS #10 CSR, and returns you to the SSL Certificate List. Your new entry shows up there with the name you assigned, marked as a pending request until the signed certificate is imported.

Step 6: Copy the Request Text and submit it to your CA

  • In the SSL Certificate List, click the entry you just created.
  • Open the Certificate Authority tab (some BIG-IP versions label it CA).
  • Copy the entire contents of the Request Text box, including the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST marker lines. (You can also click Download Request to save it as a .csr file.)

The CSR you copied looks like this:

-----BEGIN CERTIFICATE REQUEST-----
MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24x
... (many lines of base64) ...
-----END CERTIFICATE REQUEST-----

Paste the full block (markers included) into the CSR field on your SSL order. The private key never leaves the BIG-IP, so do not paste anything else from the device into the order form. When the CA validates the request and emails you the issued certificate plus its intermediate chain, return to the same SSL Certificate entry, open it, and import the signed certificate (this keeps the existing key paired); then import the chain as a separate Certificate object and reference both in your Client SSL profile. The full import and Virtual Server assignment is covered in how to install an SSL certificate on F5 products.

Check the CSR before you submit it (optional)

It is worth confirming the Common Name, SAN entries, and key size before sending the request to your CA. Paste the Request Text into SSL Dragon’s CSR decoder to read back the subject, SAN list, and key length. The Common Name should match the hostname clients will use, and every required hostname must appear under the Subject Alternative Name list. If you have OpenSSL available on a workstation, the same details print locally:

openssl req -noout -text -in request.csr

Optional: generate the CSR from tmsh (CLI)

If you prefer the TMOS shell, you can generate the key and CSR in a single command. Connect to BIG-IP over SSH, enter tmsh, then run:

create sys crypto key www_example_com_2026 gen-certificate gen-csr \
  key-size 2048 \
  common-name www.example.com \
  organization "Example Inc" \
  country US \
  state Washington \
  city Seattle \
  subject-alternative-name "DNS:www.example.com,DNS:example.com,DNS:api.example.com"

This creates the key in the BIG-IP key store under the name you chose and writes the matching CSR to /config/ssl/ssl.csr/<name>.csr. Display it with:

cat /config/ssl/ssl.csr/www_example_com_2026.csr

Copy the full BEGIN CERTIFICATE REQUEST to END CERTIFICATE REQUEST block and submit it to your CA exactly as you would from the GUI flow.

Generate a CSR on F5 FirePass SSL VPN (legacy)

Note: F5 FirePass is End of Sale and End of Software Development. Its remote-access role was replaced by BIG-IP APM, and no current public CA support guarantees apply to FirePass appliances. Use this section only if you are still maintaining a legacy FirePass system you cannot yet replace; for any new deployment, generate the CSR on BIG-IP APM instead.

  • Log in to your FirePass admin console.
  • Go to Server > Security and select Certificate > Generate a New Certificate Request.
  • Fill in the request fields:
    • Server Name: the fully qualified domain name (FQDN) of the host you want to secure, for example yourdomain.com. For a wildcard, put an asterisk in front (for example *.yourdomain.com).
    • Country Name: select the country where your company is registered.
    • State: the state or province where your company is registered, written in full.
    • City: the city where your company is registered, written in full.
    • Company: the full legal name of your company.
    • Organizational Unit: a short department label such as IT or Web. Public CAs largely ignore this field today, so keep it minimal.
    • Contact Email: a valid email address.
    • Expiration: skip.
    • Encryption Password: set a password to encrypt the private key on the FirePass appliance, then confirm it.
  • Double-check every field, then click Generate Request.
  • Click the Here link to download the CSR and private key. Keep the key and its password somewhere safe; you need them at installation time and they cannot be recovered later.

The FirePass wizard does not expose a Subject Alternative Name field, so the CSR carries only the Common Name. Public CAs copy the CN into a SAN entry automatically for single-name issuance, but the request cannot encode more than one hostname; if you need a multi-domain certificate, generate the CSR with our CSR Generator and import the issued certificate on FirePass alongside the key it produced.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.