If you have a Certificate Authority (CA)-signed certificate to use with an SSL-enabled Virtual Service, or have a custom self-signed certificate, this can be added to the Virtual Service through the WUI.

There is a button called Manage Certificates that you can click to add an (RSA or EC) SSL certificate.

There is also an Add New button in the View/Modify Services screen in the Certificates Installed column.

Either route opens the same screen; the screen to input the certificate information.

At this point there are two options; Add Intermediate and Import Certificate.

Add Intermediate

Clicking this button will allow you to add an intermediate certificate as a temporary measure. Browse to where the file is stored, enter the desired name in the Desired File Name field and click the Add Certificate button.

Import Certificate

The certificate and key file can be added from this screen. The two formats officially supported by the LoadMaster are .PEM and .PFX. However, other formats can also be imported to the LoadMaster. This document covers the .PEM, .PFX, and .CER certificate formats and the variations in which they can be added to the LoadMaster.

PFX (PKCS#12) Certificate Format

PFX or PKCS#12 format is a binary format for storing a server certificate, intermediate certificates, and the private key all in one encrypted file. PFX files can have the extensions .pfx and .p12. If the PFX format contains the private key, the key file does not have to be imported.

To import a PFX format certificate:

  1. Select the .pfx or .p12 Certificate File.
  2. If the PFX file does not contain a private key, select it using the Key File field.
  3. Enter the Pass Phrase configured when creating the PFX certificate file.
  4. Enter a Certificate Identifier which is the name used to identify the certificate on the LoadMaster.

PEM (X.509v3) Certificate Format

The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a "—– BEGIN …" line. The .PEM certificate format that may include just the public certificate, or may include an entire certificate chain including public key, private key, and root certificates.

To import a PEM format certificate:

  1. Select the .pem Certificate File.
  2. If the .PEM file does not contain a private key, select it using the Key File field.
  3. Enter the Pass Phrase configured when creating the PEM certificate file.
  4. Enter a Certificate Identifier which is the name used to identify the certificate on the LoadMaster.

CER Certificate Format

A CER file is used to store an X.509 certificate. The file contains information about certificate owner and public and private certificate keys. A CER file can be in binary (ASN.1 DER) or encoded with Base-64 with a header and footer included (PEM). Windows recognizes either of these layouts. Though the .CER certificate file contains information about the private key, it does not contain the private key file and should be included when importing the .CER certificate file to the LoadMaster.

To import a .CER certificate:

  1. Select the .pem Certificate File.
  2. Select the private key file using the Key File field.
  3. Enter a Certificate Identifier which is the name used to identify the certificate on the LoadMaster.

Note: The certificate file cannot have the following in the filename: ident, cfile, kfile, ffile, replace, password. If it does, an Invalid Certificate Identifier error message appears.
Note: Transactions Per Second (TPS) Performance will vary based on key length. Larger keys will reduce performance.

After importing a certificate, it can then be assigned to a Virtual Service(s) by selecting the relevant IP address(s) in the Available VSs list, clicking the right arrow and clicking Save Changes.

Certificates can also be assigned to a Virtual Service within the Modify Virtual Service screen.

If you add a certificate to the LoadMaster in version 7.2.51 or later (or in 7.2.48.3 LTS or a later LTS version) and then downgrade to 7.2.50 or an earlier version (or 7.2.48.2 LTS or an earlier version) - the certificate will not work. To work around this, create a backup of all SSL certificates before downgrading and then restore the certificates after downgrading (Certificates & Security > Backup/Restore Certs). If you forget to take the backup before downgrading: upgrade the firmware again, take the certificate backup, downgrade, and then restore the certificate backup.