Certificate authentication, Iphone VPN on demand, BigIP F5, godaddy

So we have this cool VPN device from F5 that gives us basically single click entry into our Qlikview. Unfortunately, a certificate expired and then everything broke. This was setup by an F5 consultant, and wasn’t documented. (Note to self, have your consultants document what they do)

So now the crap hit the fan, after spending all day on the phone with F5 support finally they were able to get us up and running again! Thanks F5 guys for working it out!

So, step one. We needed a SSL certificate (my boss didn’t like the last place) we decided to go with a simple godaddy 5 year ssl cert for $60 versus a verisign which I think cost like $1000 (crazy)

Now actually getting to where you can submit your certificate is a little bit cryptic. After you buy it, you go to the Manage Certificates and your like, so now what? So you click the Credits, and then you click the refresh arrow, and then your credit will show up.



So now you can redeem your credit, so now on the BigIP size of things you need to create your certificate signing request, (CSR)


So goto Local Traffic, SSL Certificates, Create, Give it a name, choose Certificate Authority, fill in the common name (I pretty sure this has to match the DNS entry) make it 2048 bits and fill in the rest of the stuff.

Godaddy has a page describing this as well




Hit finished copy the encryption garbage into your clipboard and then paste it into the godaddy window that looks like this.

Ok Godaddy will chug on it for a while and then you need to prove that you own the domain. The easiest way was to click on the ‘whats the hold up’ link for go daddy and the create the simple little html file proving you own the site. After you have proved you own it, then you can download the certificate, and the godaddy bundle.

So now you need to import the certificate, and the key. So back to the Local traffic, SSL certificates screen, press import, give it a name (i chose one that matched the domain). There, now you have a server SSL certificate.

You have to set your SSL client profile to use this for the certificate & the key.

Ok, now are you ready for even more fun????

So we also need to verify that our iphone clients have a client certificate (in order to do the Iphone VPN demand you need to use certificate based vpn) (we also NT authenticate as well)

So in order to do this you need to create a certificate authority, create and sign client certificates, and then configure the F5 to use them, and then export in an iphone friendly format.

Here we go, so get yourself a copy of openssl.cnf (in my case F5 support had one) and then used winscp to copy it over to /tmp/ert/openssl.cnf

This post has pretty much the same steps, but uses different dir(s)

Now ssh into your F5 box, I suppose you could do this anywhere openssl was installed.

And then run the following procedure

Creating a CA certificate

Create a directory to contain your CA certificate by typing the following command syntax:

mkdir /tmp/cert

Create a private directory in your CA directory by typing the following command syntax:

mkdir /tmp/cert/private

Create a client certificate directory in your CA directory by typing the following command syntax:

mkdir /tmp/cert/client

Create a serial number file for your CA by typing the following command syntax:

echo “0001” >/tmp/cert/

Create a CA certificate and key by typing the following command syntax:

  • openssl req -new -x509 –days 365 -keyout /tmp/cert/private/nffckey.pem -out /tmp/cert/private/nffccert.pem -config /tmp/cert/openssl.cnf

Creating and signing a client certificate

Create a client certificate request by typing the following command syntax:

openssl req -new -newkey rsa:512 -nodes -out /tmp/cert/client/client.req -keyout /tmp/cert/client/client.key

Sign the client certificate by typing the following command syntax:

openssl x509 -CA /tmp/cert/private/nffccet.pem -CAkey /tmp/cert/private/nffckey.pem -CAserial /tmp/cert/ -req -in /tmp/cert/client/client.req -out /tmp/cert/client/client.pem -days 365



You created the CA located at:



You created a client cert located at:


Export to PKCS#12

openssl pkcs12 -export -clcerts -in /tmp/cert/client/client.pem -inkey /tmp/cert/client/client.key -out /tmp/cert/client/client.p12


So now you need to import Your CA cert and Key into the F5, go to the same SSL certificate place. I named them the same and then the system combined them together into a Certificate & Key.

So now under the Local Traffic  ››  Profiles : SSL : Client

I click my vpn profile and change the Trusted Certificate Authorities to my newly created one, and also changed the advertised certificate authorities to the new one.

Then I email out the P12 to the iphone clients, change over the profile to use the new certificate and we are back in business!








One Response

  1. Few things have taken me closer to hara-kiri then working with certs. And the security folks wonder why more people don’t use them. I sometimes think there is a concerted effort to make them as insanely difficult to use as possible. Nice write up.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: