How To Create Certificate Signing Request (CSR) For
F5 Firepass

To generate a Certificate Signing Request (CSR), perform the following steps:

1. Click 'Server' from the Admin Console
2. Hit Security
3. Go to the link for Certificates
4. Click the link to Generate a New Certificate Request
5. Fill out the Certificate Request Form
   
   A simple form will display. Enter your company legal name and address information. The common name (domain name) entered should be the fully qualified domain name that will be used to access the F5 Firepass Device. For example: vpn.your_domain.com
   
   **NOTE: If you choose to enter a password in the 'Encryption Password' field, make sure to remember the password entered. You will need this password later when you install the certificate.
6. Hit 'Generate Request'
7. Download the Certificate Request
   
   When you download the CSR you will receive a .zip file that contains both the CSR and the private key. Save the private key in a secure location. You will need this private key later to install your certificate.
   
   
8. Open your CSR with a text editor, then copy and paste the entire contents of the file to the DigiCert Order Form as you place your certificate order.

IMPORTANT INFORMATION ABOUT FIREPASS SUPPORT OFR 2048-BIT and 4096-BIT SSL CERTIFICATES

FirePass supports 2048-bit and 4096-bit SSL certificates. However, the Generate New Certificate Request feature located in the administrator GUI in the Device Management: Security: Certificates page only generates 1024-bit Certificate Signing Requests (CSRs) for FirePass versions prior to 6.1.0 with cumulative HF-610-1 installed.

If you need to submit a 2048-bit or 4096-bit CSR to your Certificate Authority to obtain your signed certificate, and you are unable to upgrade to version 6.1.0 with cumulative HF-610-1 or later, or to FirePass version 7.0.0, you will need to use another application, such as CYGWIN or OpenSSL, to generate the CSR request.

For example:

# openssl req -new -nodes -days 365 -newkey rsa:2048 -keyout new.key -out newcert.csr

Important: The CSR you create must be compatible with Apache mod_ssl.

If you do not want to purchase a third-party SSL certificate, FirePass can generate a 1024-bit self-signed SSL certificate. The Generate/Install Self-Signed Certificate feature is located on the Device Management: Security: Certificates page.

Full instructions for managing SSL certificates can be found in the Administrator Guide for your version of software. An overview of obtaining and installing SSL certificates can be found in SOL9817 Obtaining and installing third-party SSL certificates

F5 Product Development tracked a request for enhancement (RFE) to add support for generating 2048-bit or 4096-bit CSRs in the form of a drop-down box to select the key size as ID 317795 (formerly CR86885) and it was introduced in cumulative HF-610-1 issued for FirePass version 6.1.0. You may download this hotfix or later versions of the cumulative hotfix from the F5 Downloads site.

To view a list of the latest available hotfixes, refer to SOL10322: FirePass hotfix matrix.

For instructions about obtaining a hotfix, refer to SOL167: Downloading software from F5.

For instructions about installing a hotfix, refer to SOL3430: Installing FirePass hotfixes.  

The above information can also be found on the F5 Support website