See below for using F5 BIG-IP certificate management services as a key management server. 

To create a F5 BIG-IP key manager

  1. Log in as an administrator with either:
  2. Go to Control > Key Managers.
  3. Click Create to configure the following settings. 
  4. Click Verify to check the connection with the key manager.

Label

A descriptive name of the key manager.

Mandatory: Yes

Owner

The username of the person responsible for the key manager.

The user who adds the key manager is automatically made the owner.  You can later edit this field and assign ownership to someone else. 

Description

A description of the key manager.

Mandatory: No

Authorization Tags

A list of authorization tags. The Custom Roles with any of these tags will grant permissions on the key manager.

Mandatory: No

Plugin Type

Select F5-BIG-IP-KMS-Plugin.

Mandatory: Yes.

Host

The URL of the F5 BIG-IP server host. For example:

https://f5.entrust.com

Mandatory: Yes

Port

The port for accessing the F5 BIG-IP service. 

The default F5 BIG-IP port is 443.

Mandatory: Yes

Partition/Path

The partition and path, in the  following syntax

<partition>/<path>

Where:

  • <partition> is the name of a F5 BIG-IP server partition. 

    The user must have access to this partition.

  • <path>  is the path of a subdirectory within the partition.

Both values are case sensitive.

Mandatory: Yes

Username

The username for authenticating in the F5 BIG-IP server. 

The selected user must have an administrator role for the given partition in the F5 BIG-IP server.

Mandatory: Yes

Password

The password for authenticating to the F5 BIG-IP server.

Mandatory: Yes

Host CA Bundle (PEM)

The certification chain of the F5 BIG-IP server, as a bundle in PEM format.

Mandatory: Yes

Key Type

The type of keys managed by the F5 BIG-IP server:

  • RSA
  • EC
  • DSA.

Mandatory: Yes.

Key Length

The bit length of the generated keys.

Mandatory: When Key Type is RSA or DSA.

Curve Name

The name of the elliptic curve.

Mandatory: When Key Type is EC.

Security Type

The type of security for generating the keys:

  • FIPS Enabled Key
  • Normal Key

Mandatory: No. This optional value defaults to Normal Key.

Enable hostname verification

Check this box for validating the F5 BIG-IP server certificate in each connection.

Allow private key export

Check this box to allow exporting the private key from the key manager – for example, to push the same certificate and key to other destinations.

 The key manager server must support key export.