If you do not have a certificate, you may complete the Certificate Signing Request (CSR) form and click the Create CSR button. CSRs generated by the LoadMaster use SHA256.

Note: If Self-Signed Certificate Handling is set to EC certs with an EC signature (in Certificates & Security > Remote Access), CSR generation is restricted to the administrative (bal) user only. If Self-Signed Certificate Handling is set to a different value, all users (regardless of their permissions) can generate CSRs.

2 Letter Country Code (ex. US)

The 2 letter country code that should be included in the certificate, for example US should be entered for the United States.

State/Province (Entire Name – New York, not NY)

The state which should be included in the certificate. Enter the full name here, for example New York, not NY.

City

The name of the city that should be included in the certificate.

Company

The name of the company which should be included in the certificate.

Organization (e.g., Marketing,Finance,Sales)

The department or organizational unit that should be included in the certificate.

Common Name

The Fully Qualified Domain Name (FQDN) for your web server.

Email Address

The email address of the responsible person or organization that should be contacted regarding this certificate.

SAN/UCC Names

A space-separated list of alternate names.

Generate Elliptical Curve Request

By default, CSRs generated by the LoadMaster request an RSA-encrypted key. If you enable the Generate Elliptical Curve Request option, the LoadMaster instead requests an EC (Elliptical Curve) key. Smaller EC key sizes generally provide the same cryptographic strength as much larger RSA key sizes. EC keys are becoming increasingly common because of both the reduced storage footprint in addition to reduced processing resources required.

Display Private Key

This new option (introduced in LoadMaster firmware version 7.2.52 and LTS version 7.2.48.3) appears only when the Certificates & Security > Remote Access > Self-Signed Certificate Handling option is set to EC certs with an EC signature which means that an elliptical curve cipher is used for both the certificate and the digital signature.

Once the above option is selected, a Display Private Key check box appears on the Certificates & Security > Generate CSR WUI page.

  • When Display Private Key is disabled (the default), the private key is not displayed in the WUI after the CSR is created. The unsigned CSR is downloaded by the user as in previous releases. Once it is signed by a Certificate Authority, the user uploads the signed certificate to the LoadMaster - the difference from previous releases being that the user does not have to also upload the private key, since LoadMaster maintains it internally when Display Private Key is disabled. If the saved private key matches the new certificate, the certificate gets imported and the saved private key is deleted. The stored private key is not encrypted but there is no access to it from the outside and it cannot be seen or displayed.
  • When Display Private Key is enabled, the LoadMaster behaves as in previous releases: the private key is displayed to the user and must be uploaded to LoadMaster along with the private key.

There is only one private key per machine and it is not shared between High Availability (HA) pairs. This means the newly-generated certificate must be installed on the machine that the CSR was generated on.

Alter clicking the Create CSR button, the following screen appears:

The top part of the screen should be copied and pasted into a plain text file and sent to the Certificate Authority of your choice. They will validate the information and return a validated certificate.

The lower part of the screen is your private key and should be kept in a safe place. This key should not be disseminated as you will need it to use the certificate. Copy and paste the private key into a plain text file (do not use an application such as Microsoft Word) and keep the file safe.