bg-tutorials

How to Install an SSL Certificate on F5 Products

This guide shows you how to install an SSL certificate on F5 products. The main path covers F5 BIG-IP (the current platform): import the certificate, key, and chain, create a Client SSL profile, then assign that profile to your Virtual Server, which is the step that actually serves the certificate to visitors. A separate section covers the legacy F5 FirePass SSL VPN.

Generate a CSR code

The CSR (Certificate Signing Request) is a block of encoded text containing your contact details, such as domain name and company information. You generate it as part of the SSL order process and send it to your Certificate Authority (CA). Along with the CSR, you also create your private key. Keep the key safe, because you need it during installation. You have two options:

After creating the CSR, copy its contents and paste them directly into your SSL order, or save them to a text file. Include the full BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST marker lines. Each marker uses five hyphens on each side, like this:

-----BEGIN CERTIFICATE REQUEST-----
... your CSR data ...
-----END CERTIFICATE REQUEST-----

Once your CA validates the request and emails you the certificate files, continue with the installation below.

Install an SSL certificate on F5 BIG-IP

These steps apply to BIG-IP 13.x through 17.x using the Configuration utility (TMUI). The workflow has three parts: import the files, build a Client SSL profile, then assign that profile to the Virtual Server.

Step 1: Prepare your files

Your CA delivers the certificate files, usually in a ZIP archive. Download and extract it. You should have:

  • Your primary server certificate (the end-entity certificate for your domain).
  • The intermediate certificate(s), also called the chain or CA bundle.
  • The private key you generated with the CSR.

You do not need to merge these files manually. BIG-IP imports the certificate, key, and chain as separate objects and assembles them in the Client SSL profile.

Step 2: Import the certificate, key, and chain

  • Log in to the F5 BIG-IP Configuration utility (TMUI).
  • Go to System > Certificate Management > Traffic Certificate Management > SSL Certificate List. (On BIG-IP 12.x and earlier, the path is System > File Management > SSL Certificate List.)
  • Click Import. In the Import Type list, select Certificate.
  • For Certificate Name, select Create New and enter a unique name.
  • For Certificate Source, choose Upload File and browse to your certificate, or choose Paste Text and paste the certificate contents. Click Import.
  • Repeat the import for your private key: click Import again, set Import Type to Key, give it a name, upload or paste the key, then click Import.
  • Repeat once more for the intermediate chain: import it as a Certificate with its own unique name. If the file contains more than one intermediate, import it as a single bundle so the whole chain stays together.

Note: import the chain (intermediates), not the root. Browsers already trust the root CA, so the server only needs to send your certificate plus the intermediates.

Step 3: Create a Client SSL profile

The Client SSL profile ties the certificate, key, and chain together so BIG-IP can present them to clients.

  • Go to Local Traffic > Profiles > SSL > Client, then click Create.
  • Enter a unique Name, and from Parent Profile select clientssl.
  • Select the Custom check box next to Configuration so the certificate fields become editable.
  • Under Certificate Key Chain, click Add. Set Certificate to the certificate you imported, Key to your private key, and Chain to your intermediate bundle. Click Add, then Finished.

For current security, confirm the profile negotiates modern protocols only. TLS 1.2 and TLS 1.3 should be enabled and SSLv3, TLS 1.0, and TLS 1.1 disabled. On recent BIG-IP versions the default clientssl parent already disables the obsolete protocols.

Step 4: Assign the profile to your Virtual Server

This is the step that actually serves the certificate. Until the profile is attached to a Virtual Server, nothing changes for visitors.

  • Go to Local Traffic > Virtual Servers and click the HTTPS Virtual Server that handles your site (it should listen on port 443).
  • In the SSL Profile (Client) setting, select your new profile in the Available list and use the Move button to move it to Selected.
  • Click Update.

Congratulations, your SSL certificate is now installed and served on F5 BIG-IP. If you do not yet have a Virtual Server listening on port 443, create one first, set its destination to your service IP and port 443, then attach the Client SSL profile as above.

Legacy: F5 BIG-IP versions earlier than 9

Very old BIG-IP releases (earlier than version 9) used the file system and the TMOS shell instead of the import workflow above. If you still run one of these, upgrade if at all possible. The historical steps are:

  • Use an SFTP client such as FileZilla to copy your primary and intermediate certificates to the device.
  • Place the primary certificate (for example your.domain.name.crt) and the intermediate (for example intermediate-ca.crt) in the /config/bigconfig/ssl.crt/ directory.
  • Restart the proxy so it picks up the new certificate. Run each command on its own line:
bigpipe proxy :443 disable
bigpipe proxy :443 enable

Your SSL certificate is then active on the platform.

Install an SSL certificate on F5 FirePass SSL VPN (legacy)

Note: F5 FirePass reached end of life and is no longer supported by F5. Its remote-access role was replaced by BIG-IP APM. These steps are kept for anyone still maintaining a FirePass appliance; for any current deployment, use BIG-IP instead.

Step 1: Prepare your files

Download the ZIP archive containing your certificates and extract the files on your device. You also need your private key and its password.

Step 2: Install the certificate

  • Log in to your F5 FirePass host.
  • Go to Device Management > Security > Certificates.
  • In the Renew/Replace SSL Server Certificate tab, click Install.
  • In the box labeled Paste the new certificate in the PEM format (for Apache + mod_ssl) here, paste your SSL certificate. Open the file in any text editor, such as Notepad, and include the full BEGIN and END marker lines.
  • In the box labeled Paste the corresponding cryptographic key in PEM format here, paste your private key (created with the CSR).
  • In the Enter Password here field, type the password you set for the private key during CSR generation.
  • In the box labeled Optionally, put your intermediate certificate chain here (in the PEM format), paste your intermediate (and root, if required) certificates, then click Go.

Note: if you see the error Your Certificate chain cannot be fully verified, check that the intermediate chain is complete and pasted in the correct order, then re-import.

Step 3: Configure the web service

  • In the FirePass host, click Web Service.
  • Click Configure, then Add New Service.
  • In the Certificate menu, select the certificate you just added.
  • Click through the sequence: Update, then Finalize, Finalize Changes, Apply Changes, and Restart.
  • The FirePass host restarts and serves the new certificate.

Test your SSL installation

After installing the certificate, run an SSL scan to check for configuration errors or weak protocols. For details, use our SSL Checker to test your SSL certificate.

You can also confirm the certificate from the command line. Replace the hostname with your own:

echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -issuer -subject -dates

This prints the issuer, subject, and validity dates of the certificate BIG-IP is serving, which confirms the Client SSL profile is attached to the Virtual Server correctly.

Frequently Asked Questions

Where do I import an SSL certificate on F5 BIG-IP?

In the Configuration utility, go to System > Certificate Management > Traffic Certificate Management > SSL Certificate List and click Import. Import the certificate, the private key, and the intermediate chain as separate objects. On BIG-IP 12.x and earlier, the path is System > File Management > SSL Certificate List.

Why is my certificate not being served after import?

Importing the files is only the first part. You must create a Client SSL profile (Local Traffic > Profiles > SSL > Client) that references the certificate, key, and chain, then assign that profile to your Virtual Server under Local Traffic > Virtual Servers in the SSL Profile (Client) setting. Until the profile is attached to a Virtual Server listening on port 443, BIG-IP does not serve the certificate.

Do I need to import the root certificate on F5 BIG-IP?

No. Import your server certificate and the intermediate chain, and set both in the Client SSL profile. Browsers already trust the root CA, so the server only needs to present your certificate plus the intermediates. Importing the chain prevents the common “incomplete certificate chain” error.

What is the difference between a Client SSL and a Server SSL profile?

A Client SSL profile handles TLS between the client and BIG-IP, so it holds the certificate visitors see. This is the profile you need to serve your public certificate. A Server SSL profile handles TLS between BIG-IP and the backend pool members, and is only needed for re-encryption to the backend.

Is F5 FirePass still supported?

No. F5 FirePass reached end of life and no longer receives updates. Its SSL VPN role was replaced by BIG-IP APM. If you are deploying new remote-access infrastructure, use BIG-IP rather than FirePass.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.