Blindfold your TLS Certificates
On This Page:
Objective
This document provides instructions on how to encrypt your TLS certificates using F5® Distributed Cloud Blindfold. This ensures additional security measures for the certificates stored in F5 Distributed Cloud Platform. To know more about Blindfold and secrets management, see Blindfold.
Note: Distributed Cloud Platform supports blindfolding the secrets directly in Console. Use the instructions provided in this document only in the case you want to apply Blindfold to your certificates Offline.
The following image illustrates the sequence of actions performed in securing the certificates.
Using the instructions provided in this guide, you can encrypt TLS certificate with Blindfold and apply it to a virtual host.
Prerequisites
The following prerequisites apply:
Note: If you do not have an account, see Create an Account.
- A virtual host with a signed TLS certificate
Note: If you do not have a virtual host, see Create a Virtual Host.
-
The vesctl tool. Download vesctl on your local machine as it is used to apply Blindfold to the TLS certificate.
-
Optionally, one or more cloud or edge locations with a Distributed Cloud site
Note: Install the Distributed Cloud node or cluster image in your cloud or edge location. See Site Management for more information.
Configuration
The following image shows the configuration sequence of applying Blindfold encryption to your TLS certificate.
Configuration Sequence
Applying Blindfold to the certificates of your WebApp includes performing the following sequence of actions:
Phase | Description |
---|---|
Create a Secret Policy | Create a policy to permit F5 Distributed Cloud Wingman and data plane to access the TLS certificate. |
Prepare Credentials and Policy | Retrieve API credentials from Console, derive certificates, derive keys, and obtain policy. |
Encrypt TLS Certificate | Perform the encryption on a local computer. It is recommended to use an air-gapped computer. |
Enable TLS on the Virtual Host | Update the Virtual Host configuration with the TLS certificate and key encrypted with Blindfold. |
Note: The API credentials are required to be downloaded in PKCS #12 file format.
Create a Secret Policy
The secret policy allows Wingman and Distributed Cloud data plane access to the TLS certificate.
Step 1: Log into Console and start creating new secret policy.
-
From the Home screen, click
Cloud and Edge Sites
underAll Services
. -
In the
Manage
section of the configuration menu, selectSecrets
from the options pane, and then selectSecret Policies
to see a list of existing policies. Then clickAdd secret policy
to see the new secret policy form. -
In the
Metadata
section,Figure: Secret Policy Metadata - Enter a unique name for the secret policy.
- Optionally, set labels and description, as necessary.
Step 2: Configure the Secret Policy Rules.
The Secret Policy Rules
section lists all the rules for this policy. To add a new rule, click Add item
and fill out the secret policy rule form as outlined below.
In the Metadata
section,
- Enter a unique name for the new rule.
- Optionally, set labels and description, as necessary.
In the Action
section, selecting Allow
or Deny
determines how to react to a request if all the predicates evaluate to true.
In the Client Selection
section, specify the client(s) that will be affected by this rule.
-
Group of Clients by Name
- List of client names for which the rule will apply. You can specify them usingExact Values
and/orRegex Values
. ClickAdd item
and enter exact values or regular expressions for server names. Continue to click eitherAdd item
button to build your list. -
Group of Clients by Label Selector
- Specifies the labels associated with the clients to which the rule will apply. To add labels, click in theSelector Expression
field, and then for each label you want to add:- Select a key from the displayed options or type a key and click
Assign Custom Key
, - Select a displayed operator,
- Select a displayed value or enter a custom value,
- Click
Apply
. If this is the last label, click outside theSelector Expression
area or press thetab
key.
- Select a key from the displayed options or type a key and click
-
Client Name
: Enter a single client name.
When finished entering clients for this rule, click Save and Exit
.
Step 3: Complete the policy.
Check Allow Volterra
to allow the data plane to decrypt an encrypted TLS private key. Then enter the Decrypt Cache Timeout
to limit the time a decrypted secret is cached in Wingman.
Click Save and Exit
to complete the secret policy.
Prepare Credentials and Policy
Step 1: Create an API Certificate.
- Log into F5 Distributed Cloud Platform
- Create an API certificate using the instructions in the Generate API Certificate chapter of the Credentials document.
- Download the certificate in the PKCS #12 format.
Step 2: Derive a certificate from the downloaded PKCS #12 file.
This example shows how to derive the certificate using OpenSSL.
openssl pkcs12 -nokeys -in demo-api-credentials.p12 -out demo-api.crt
Note: This step prompts for password. Enter the password used in Step 1 to generate the certificate file in the
.crt
file.
Step 3: Derive a key from the downloaded PKCS 12 file.
Enter the following command:
openssl pkcs12 -nocerts -nodes -in demo-api-credentials.p12 -out demo-api.key
Note: This step prompts for password. Enter the password used in Step 1 and a passphrase to generate the key file in the
.key
format.
Step 4: Obtain a public-key using vesctl and store the output to a file.
This example stores the output to a file named demo-api-pubkey
.
vesctl --cert file:///demo-api.crt --key file:///demo-api.key -u https://demo-api.console.ves.volterra.io/api request secrets get-public-key > demo-api-pubkey
Note: For the
--cert
and--key
options, specify the path to the certificate file and key file derived in Step 3 and Step 4 respectively.
The following output capture shows a sample public key:
data:
keyVersion: 1
modulusBase64: rc3DxZa69sWeIn9NRrHGcZlZaXLHWYjc57jIS76Z47AcU0jDmodz3lNEysVO2swNAUn8p6yiuvf8Vj4LUuWB++LdP2yYX5ftEHmMgnHVq4AdKFBp5zbrh15g7mS0lpdX/xG6h0+IdHyrWPoIg/hZwYyV9xmIOcFc1Jk5PZC554hchHbToQ==
publicExponentBase64: A6ur/Xk=
tenant: volterra-demo1
Step 5: Obtain a policy-document using vesctl and store the output to a file.
This example stores the output to a file named demo-api-policy
.
vesctl --cert file:///demo-api.crt --key file:///demo-api.key -u https://demo-api.console.ves.volterra.io/api request secrets get-policy-document --namespace system --name demo-api-https-policy > demo-api-policy
Note: For the
--cert
and--key
options, specify the path to the certificate file and key file derived in Step 3 and Step 4 respectively. For the--name
field, enter the API credentials object name.
The following output capture shows a sample policy document.
data:
policyId: "104"
policyInfo:
rules: []
tenant: volterra-demo1
Step 6: Convert the certificate into the URL format using the base64 encoding.
This string is used to associate the certificate with the virtual host.
openssl base64 -in <certificate>
Note: The
<certificate>
can be your certificate with intermediate if required.
Encrypt TLS Key Using Blindfold
Step 1: Encrypt TLS Key using vesctl and Blindfold and store for virtual host configuration.
This example stores the output to a file named bl-enckey
.
vesctl --cert file:///demo-api.crt --key file:///demo-api.key -u https://demo-api.console.ves.volterra.io/api request secrets encrypt --policy-document demo-api-policy --public-key demo-api-pubkey privkey.pem > bl-enckey
Note: Provide the certificate, key, public key, and policy document obtained in the Prepare Credentials and Policy chapter.
The following output capture shows a sample encrypted key.
sample-output:
Encrypted Secret (Base64 encoded):
AAAACWN1c3RvbWVyMQAAAAEAAAAAAAAAaAIAAAAFA6ur/XkAAAEArc3DxZa69sWeIn9NRrHGcZlZaXLHWYjc57jIS76Z47AcU0jDmodz3lNEysVO2s
Step 2: Save the encrypted TLS Key for future use.
You will need the encrypted key in the Enable TLS on the Virtual Host chapter when adding your TLS key.
Enable TLS on the Virtual Host
Log into Console and change to your application namespace.
Step 1: Select Virtual Host.
- Select
Manage
from the configuration menu andVirtual Host
->Virtual Hosts
from the options pane. - Choose your virtual host from the list displayed and open virtual host edit form.
Step 2: Configure the Secret Policy Rules.
Scroll to the TLS parameters
and click Configure
to load the for TLS parameters configuration form.
Step 3: Configure the TLS Common Parameters.
-
Click
Configure
to see the TLS common parameters form.Figure: TLS Common Parameters
Step 4: Select or add a TLS certificate.
-
In the
TLS Certificates
section, select an certificate from the list.-
Or click
Add Item
to create a new TLS certificate.Figure: TLS Certificate -
Paste the certificate or certificate chain into the
Certificate URL
field. The certificate/chain should be in PEM format including the PEM headers. -
In the
Private Key
section, clickConfigure
and selectBlindfold Secret
. Enter the encrypted string in theType
field. Use the string obtained in the Encrypt TLS Key Using Blindfold chapter. Then click theApply
button to return to theCommon Parameters
form. -
Optionally enter a description in the
Description
section. -
In the
OCSP Stapling choice
section, choose to enable or disable OCSP stapling. -
Click
Add Item
to return to theCommon Parameters
form.
-
Step 5: Specify the trusted CA validation parameters.
-
In the
Trusted CA Validation params
section, clickConfigure
.Figure: TLS CA Validation Form -
In the
Trusted CA
field, enter the URL for a trust store. -
Check
Skip verification of hostname
to not check if the certificate matches the connecting hostname. -
In the
List of SANs for matching
section, clickAdd item
for the Subject Alternative Name (SAN), and then enter the alternate name in theEnter verify subject alt names
field. -
Click the
Apply
button to return to theCommon Parameters
form.
Step 6: Specify details for using the TLS Certificate(s).
-
Enter the minimum and maximum TLS versions in the two respective fields, or select
Automatic
to let Distributed Cloud App Stack choose the optimal versions. -
Choose the cipher suite(s) for your certificates.
- In the
Cipher Suites
section, clickAdd item
for each suite, and select the specific suite from the dropdown list. - Click the
Apply
button to return toTLS Parameters form
.
- In the
Step 7: Finish the TLS Parameters.
- Check the box
Require Client Certificate (enable TLS)
if you want to reject connections without a valid client certificate. - Click the
Apply
button to finish the TLS parameters.