How to move SSL Certificate from IIS to F5 BigIP 11 Loadbalancer

Windows servers use .pfx files to contain the public key file (SSL Certificate) and its unique private key file. The Certificate Authority (CA) provides you with your SSL Certificate (public key file). You use your server to generate the associated private key file where the CSR was created.

You need both the public and private keys for an SSL Certificate to work properly; therefore, if you need to transfer your SSL certificate from one server to another, you need to create a .pfx backup first. Then import into F5 Big-IP

To move perform an Export & Import SSL Certificate from IIS to F5 Big IP 11.x perform the following.

Step 1:  Create an MMC Snap-in for Managing Certificates:

1. Start > run > MMC.
   
   
2. Go into the Console Tab > File > Add/Remove Snap-in.
   
3. Click on Add > Click on Certificates and click on Add.
   
   
   
4. Choose Computer Account > Next
   
5. Choose Local Computer > Finish.
   
6. Close the Add Standalone Snap-in window.
7. Click on OK at the Add/Remove Snap-in window.

Step 2: Export/Backup certificate to .pfx file:

1. In MMC Double click on Certificates (Local Computer) in the center window.
2. Double click on the Personal folder, and then on Certificates.
3. Right Click on the Certificate you would like to backup and choose > ALL TASKS > Export.
4. Follow the Certificate Export Wizard to backup your certificate to a .pfx file.
   
   
5. Choose to ‘Yes, export the private key‘
   
   
6. Choose to “Include all certificates in certificate path if possible.” (do NOT select the delete Private Key option).
   
7. Enter a password you will remember.
8. Click the box with three … specify a file name and location to save your .pfx/.p12 file.
   
9. Click Finish.
   
10. You will receive a message > “The export was successful.” > Click OK.
    
    The .pfx file backup is now saved in the location you selected and is ready to be moved to the other server system.
    

Step 3: Importing pfx file into F5 BIG-IP 11.x:

PKCS12 is a specifically formatted file that is used with Windows IIS systems. The PKCS 12 file has an extension of .PFX. F5 BIG-IP 11.x automatically converts PKCS12 certificates to PEM format when the files are imported.

To import a PKCS 12 file, perform the following steps:

1. Navigate to System > File Management > SSL Certificates List.
2. Click Import.
   
3. From the Import Type list, select PKCS 12 (IIS).
4. In the Certificate Name section, type a name for the certificate.
5. In the Certificate Source section, click Choose File.
6. Click Import.
   Your certificate is now imported into the F5 Big-IP 11.x Load balancer.

Step 4: Updating the SSL profile:

1. On the left panel, click on Profiles.
2. Choose SSL.
3. Choose Client.
4. From the list, select the SSL profile for your website.
   
   Your SSL certificate is now installed, and the website is now configured.

If you are unable to use these instructions for your server, Acmetek recommends that you contact either the vendor of your software or an organization that supports it.