Blindfold your TLS Certificates


This document provides instructions on how to encrypt your TLS certificates using F5® Distributed Cloud Blindfold. This ensures additional security measures for the certificates stored in F5 Distributed Cloud Platform. To know more about Blindfold and secrets management, see Blindfold.

Note: Distributed Cloud Platform supports blindfolding the secrets directly in Console. Use the instructions provided in this document only in the case you want to apply Blindfold to your certificates Offline.

The following image illustrates the sequence of actions performed in securing the certificates.

Figure: F5 Distributed Cloud Blindfold

Using the instructions provided in this guide, you can encrypt TLS certificate with Blindfold and apply it to a virtual host.


The following prerequisites apply:

Note: If you do not have an account, see Create an Account.

  • A virtual host with a signed TLS certificate

Note: If you do not have a virtual host, see Create a Virtual Host.

  • The vesctl tool. Download vesctl on your local machine as it is used to apply Blindfold to the TLS certificate.

  • Optionally, one or more cloud or edge locations with a Distributed Cloud site

Note: Install the Distributed Cloud node or cluster image in your cloud or edge location. See Site Management for more information.

  • A minimum of monitor role in the Shared namespace is required.


The following image shows the configuration sequence of applying Blindfold encryption to your TLS certificate.

Figure: Encrypting TLS-Key using Blindfold

Configuration Sequence

Applying Blindfold to the certificates of your WebApp includes performing the following sequence of actions:

Create a Secret PolicyCreate a policy to permit F5 Distributed Cloud Wingman and data plane to access the TLS certificate.
Prepare Credentials and PolicyRetrieve API credentials from Console, derive certificates, derive keys, and obtain policy.
Encrypt TLS CertificatePerform the encryption on a local computer. It is recommended to use an air-gapped computer.
Enable TLS on the Virtual HostUpdate the Virtual Host configuration with the TLS certificate and key encrypted with Blindfold.

Note: The API credentials are required to be downloaded in PKCS #12 file format.

Create a Secret Policy

The secret policy allows Wingman and Distributed Cloud data plane access to the TLS certificate.

Note: You can also use the inbuilt ves-io-allow-volterra policy.

Step 1: Log into Console and start creating new secret policy.
  • From the Home screen, click Multi-Cloud Network Connect under All Services.

  • In the Manage section of the configuration menu, select Secrets from the options pane, and then select Secret Policies to see a list of existing policies. Then click Add secret policy to see the new secret policy form.

  • In the Metadata section,

  • Enter a unique name for the secret policy.

  • Optionally, set labels and description, as necessary.

  • Check Allow F5XC to allow the data plane to decrypt an encrypted TLS private key.

  • Enter Decrypt Cache Timeout to limit the time a decrypted secret is cached in Wingman.

secret pol metadata 2
Figure: Secret Policy Metadata
Step 2: Configure the Secret Policy Rules.

The Secret Policy Rules section lists all the rules for this policy.

To add a new rule, Select Policy Rules > choose Configure link > click + Add item button and fill out the secret policy rule form as outlined below.

secret pol rules 2
Figure: Secret Policy Metadata

In the Metadata section,

  • Enter a unique name for the new rule.

  • Optionally, set labels and description, as necessary.

In the Action section, selecting Allow or Deny determines how to react to a request if all the predicates evaluate to true.

In the Client Selection section, specify the client(s) that will be affected by this rule.

  • Group of Clients by Name - List of client names for which the rule will apply. You can specify them using Exact Values and/or Regex Values. Click Add item and enter exact values or regular expressions for server names. Continue to click either Add item button to build your list.

  • Group of Clients by Label Selector - Specifies the labels associated with the clients to which the rule will apply. To add labels, click in the Selector Expression field, and then for each label you want to add:

    • Select a key from the displayed options or type a key and click Assign Custom Key,
    • Select a displayed operator,
    • Select a displayed value or enter a custom value,
    • Click Apply. If this is the last label, click outside the Selector Expression area or press the tab key.
  • Client Name: Enter a single client name.

When finished entering clients for this rule, click the Apply button.

secret pol action 2
Figure: Secret Policy Action

Click Apply to save the custom rule list.

Step 3: Complete the policy.
  • Click Save and Exit button to complete the secret policy.

    secret pol metadata 2
    Figure: Secret Policy Metadata

Prepare Credentials and Policy

Step 1: Create an API Certificate.
  • Log into F5 Distributed Cloud Platform
  • Create an API certificate using the instructions in the Generate API Certificate chapter of the Credentials document.
  • Download the certificate in the PKCS #12 (P12) format.
Step 2: Create a config file and add P12 bundle and server URLs to that file

Create a file named .vesconfig and add the P12 certificate bundle and the tenant server URLs to that file.

Step 3: Set the environment for P12 password.

Enter the following command:

          export VES_P12_PASSWORD=<p12 password>


Note: The password for the P12 file is set during the generation of API certificate.

Step 4: Obtain a public-key using vesctl and store the output to a file.

This example stores the output to a file named demo-api-pubkey.

          vesctl request secrets get-public-key > demo-api-pubkey

Step 5: Obtain a policy-document using vesctl and store the output to a file.

This example stores the output to a file named demo-api-policy. You can use the inbuilt policy or the policy created in the previous chapter. This example uses the inbuilt ves-io-allow-volterra policy.

          vesctl request secrets get-policy-document --namespace shared --name ves-io-allow-volterra > demo-api-policy


Encrypt TLS Key Using Blindfold

Step 1: Encrypt TLS Key using vesctl and Blindfold.

This example stores the output to a file named bl-enckey.

          vesctl request secrets encrypt --policy-document demo-api-policy --public-key demo-api-pubkey key.pem  > bl-enckey


Note: Provide the public key and policy document obtained in the Prepare Credentials and Policy chapter. The key.pem is the TLS key to be encrypted.

Step 2: Save the encrypted TLS Key for future use.

You will need the encrypted key in the Enable TLS on the Virtual Host chapter when adding your TLS key.

Enable TLS on the Virtual Host

Log into Console and change to your application namespace.

Step 1: Select Virtual Host.
  • Select Manage from the configuration menu and Virtual Host -> Virtual Hosts from the options pane.
  • Choose your virtual host from the list displayed and open virtual host edit form.
Step 2: Configure the Secret Policy Rules.

Scroll to the TLS parameters and click Configure to load the for TLS parameters configuration form.

Step 3: Configure the TLS Common Parameters.
  • Click Configure to see the TLS common parameters form.

    tls common parameters
    Figure: TLS Common Parameters
Step 4: Select or add a TLS certificate.
  • In the TLS Certificates section, select an certificate from the list.

    • Or click Add Item to create a new TLS certificate.

      tls certificate
      Figure: TLS Certificate
    • Paste the certificate or certificate chain into the Certificate URL field. The certificate/chain should be in PEM format including the PEM headers.

    • In the Private Key section, click Configure and select Blindfold Secret. Enter the encrypted string in the Type field. Use the string obtained in the Encrypt TLS Key Using Blindfold chapter. Then click the Apply button to return to the Common Parameters form.

    • Optionally enter a description in the Description section.

    • In the OCSP Stapling choice section, choose to enable or disable OCSP stapling.

    • Click Add Item to return to the Common Parameters form.

Step 5: Specify the trusted CA validation parameters.
  • In the Trusted CA Validation params section, click Configure.

    tls trusted ca validation
    Figure: TLS CA Validation Form
  • In the Trusted CA field, enter the URL for a trust store.

  • Check Skip verification of hostname to not check if the certificate matches the connecting hostname.

  • In the List of SANs for matching section, click Add item for the Subject Alternative Name (SAN), and then enter the alternate name in the Enter verify subject alt names field.

  • Click the Apply button to return to the Common Parameters form.

Step 6: Specify details for using the TLS Certificate(s).
  • Enter the minimum and maximum TLS versions in the two respective fields, or select Automatic to let Distributed Cloud App Stack choose the optimal versions.

  • Choose the cipher suite(s) for your certificates.

    • In the Cipher Suites section, click Add item for each suite, and select the specific suite from the dropdown list.
    • Click the Apply button to return to TLS Parameters form.
Step 7: Finish the TLS Parameters.
  • Check the box Require Client Certificate (enable TLS) if you want to reject connections without a valid client certificate.
  • Click the Apply button to finish the TLS parameters.


API References