MediumChecklist

F5 SSL Certificate Checklist

Pre-flight checklist for F5 BIG-IP certificate installation and renewal. Don't forget the chain.

15-30 minutes

Last Updated: February 2026

Progress: 0/52 complete0%

When to Use

• Installing a new SSL certificate on F5 BIG-IP
• Renewing an existing certificate
• Replacing a certificate after a CA migration
• Troubleshooting "certificate not trusted" errors after a cert change

Do NOT Use For

• First-time F5 SSL profile setup (read [F5 SSL Profiles Explained](/guides/f5-ssl-profiles) first)
• Debugging complex SSL issues (use [F5 SSL Troubleshooting](/guides/f5-ssl-troubleshooting) guide)
• Generating CSRs (covered in [F5 Certificate Installation](/guides/f5-certificate-installation) guide)
• Internal/private CA certificate deployment

Quick Reference (TL;DR)

Verify files match before importing. Import cert, key, AND chain
Create/update Client SSL profile — put the chain in the Chain field (this is the step everyone skips)
Assign profile to Virtual Server. Test with openssl s_client AND mobile
Save config

1Before You Start

Objective: Confirm you have everything needed before touching the F5

Certificate file in PEM format (.crt or .pem)

Private key file in PEM format (.key)

Intermediate certificate(s) downloaded from your CA

Access to F5 GUI with admin privileges

Know which Virtual Server(s) need this certificate

Maintenance window scheduled (if production)

Rollback plan: know the current cert name in case you need to revert

💡 If you received a .pfx / .p12 file, convert it first — see PFX conversion commands in Section 3.

💡 Get the intermediate cert from your CA's documentation, not from memory. CAs change intermediates periodically.

2Verify Your Files

Objective: Catch problems before importing — saves time and prevents failed installs

Certificate and key modulus match (outputs must be identical)

Certificate is not expired

SANs include all required hostnames

Chain validates correctly

Verify certificate and key match:

openssl x509 -noout -modulus -in cert.crt | openssl md5
openssl rsa -noout -modulus -in cert.key | openssl md5
# Output MUST be identical — if not, wrong key

Check certificate dates:

openssl x509 -noout -dates -in cert.crt

Check SANs:

openssl x509 -noout -text -in cert.crt | grep -A1 "Subject Alternative Name"

Validate chain:

openssl verify -CAfile intermediate.crt cert.crt
# Should output: cert.crt: OK

💡 If the modulus doesn't match, you have the wrong private key. Go back to wherever the CSR was generated — the key lives there.

💡 Check SANs carefully. Missing a hostname means that hostname won't be covered — browsers will show an error for it.

3Import to F5

Objective: Get the cert, key, and chain into F5's certificate store

Navigate to: System → Certificate Management → Traffic Certificate Management → SSL Certificate List

Click Import

Import Type: Certificate → Upload your server certificate

Import Type: Key → Upload your private key

Import Type: Certificate → Upload intermediate certificate(s) (separate import)

Verify all three items appear in the SSL Certificate List

PFX/PKCS#12 conversion (if you received .pfx or .p12 instead of PEM):

# Extract certificate
openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.crt

# Extract private key
openssl pkcs12 -in certificate.pfx -nocerts -out private.key

# Remove key passphrase (F5 prefers unencrypted keys)
openssl rsa -in private.key -out private-decrypted.key

Import via tmsh (command line alternative):

# Import certificate via tmsh
tmsh install sys crypto cert www.example.com_2026 from-local-file /var/tmp/cert.crt

# Import key via tmsh
tmsh install sys crypto key www.example.com_2026 from-local-file /var/tmp/cert.key

# Import chain certificate
tmsh install sys crypto cert DigiCert_Intermediate_2026 from-local-file /var/tmp/chain.crt

💡 Use a consistent naming convention: `www.example.com_2026` makes it easy to identify cert, key, and chain by hostname and year.

💡 F5 requires PEM format. If your file starts with `-----BEGIN CERTIFICATE-----`, you're good. If it's binary, convert it first.

4Configure Client SSL Profile

Objective: This is where the certificate gets associated with your traffic. The Chain field is critical

Create Client SSL profile via tmsh:

# Create client SSL profile with cert, key, and chain
tmsh create ltm profile client-ssl clientssl_www.example.com \
  cert-key-chain add { www.example.com_2026 { \
    cert www.example.com_2026 \
    key www.example.com_2026 \
    chain DigiCert_Intermediate_2026 \
  }}

💡 **⚠️ CRITICAL — Chain Certificate Warning:** The #1 cause of "certificate not trusted" errors on F5 is forgetting to add the intermediate certificate to the **Chain** field. Desktop browsers may work fine (they cache intermediates), but **mobile devices, API clients, and automated scripts WILL fail**. Don't skip this step.

💡 If you forget to check "Custom" before editing, your changes won't save. This trips up everyone at least once.

💡 You can have multiple Certificate Key Chain entries in one profile for SNI (multiple certs on one IP).

5Configure Server SSL Profile (Only If Re-encrypting to Backend)

Objective: Only needed if your backend requires HTTPS. Skip this section if F5 sends plain HTTP to backends (SSL offload)

Navigate to: Local Traffic → Profiles → SSL → Server

Create new profile or select existing

Server Authentication: Set to "Ignore" for internal/trusted backends

Ciphers: Match your backend server's capabilities

Options: TLS 1.2 minimum recommended

Click Finished

💡 Client SSL = handles the connection FROM users TO F5. Server SSL = handles the connection FROM F5 TO your backend. The naming is from F5's perspective, not yours.

6Assign to Virtual Server

Objective: Connect your SSL profile to the Virtual Server that handles the traffic

Navigate to: Local Traffic → Virtual Servers → Virtual Server List

Select your target Virtual Server

Scroll to SSL Profile (Client) → Select your Client SSL profile

If re-encrypting: SSL Profile (Server) → Select your Server SSL profile

Click Update

Assign profile via tmsh:

# Assign profile to virtual server
tmsh modify ltm virtual my-virtual-server \
  profiles add { clientssl_www.example.com { context clientside } }

# Save configuration
tmsh save sys config

7Testing

Objective: Verify everything works before closing the maintenance window

Browse to site in browser — verify no certificate warnings

Test certificate chain is complete with openssl s_client

Test from mobile device (stricter chain validation than desktop browsers)

Run SSL Labs test (if public-facing): ssllabs.com/ssltest

Check F5 logs: System → Logs → Local Traffic (look for SSL errors)

Verify application functions correctly (not just HTTPS — test actual app functionality)

Test certificate chain:

openssl s_client -connect yoursite.com:443 -servername yoursite.com
# Look for "Certificate chain" section — should show full chain
# Verify return code: "Verify return code: 0 (ok)"

tmsh verification commands:

# List all certificates on the F5
tmsh list sys crypto cert

# Show specific certificate details
tmsh list sys crypto cert www.example.com_2026 all-properties

# Verify profile configuration
tmsh list ltm profile client-ssl clientssl_www.example.com

💡 Mobile devices and API clients are stricter about chain validation than desktop browsers.

💡 Desktop browsers cache intermediate certificates, masking chain issues — always test beyond desktop Chrome.

8Post-Installation

Objective: Clean up and document

Document new certificate expiration date

Set calendar reminder for renewal (30+ days before expiry)

Update certificate inventory / CMDB

Remove old certificate and key from F5 (only after confirming new one works)

Close maintenance window / change ticket

Save configuration: tmsh save sys config

Troubleshooting

Problem: "Certificate not trusted" on mobile but works in Chrome

Solution: Missing chain certificate. Go back to Section 4 and verify the Chain field has your intermediate cert. Chrome caches intermediates (hiding the problem), but mobile and API clients don't.

Problem: Import fails with "key and certificate do not match"

Solution: Wrong private key. Go back to Section 2 and compare the modulus hashes. The key must be the one generated with the original CSR.

Problem: Profile changes don't seem to save

Solution: You forgot to click the "Custom" checkbox. F5 profiles inherit from a parent — you must check "Custom" next to any field you want to override.

Problem: HTTPS not working at all after changes

Solution: Check that the Client SSL profile is assigned to the Virtual Server (Section 6). Also verify the Virtual Server is listening on port 443.

Problem: Wrong chain certificate — F5 sends wrong issuer in chain

Solution: Download the correct chain from your CA's documentation. Common locations: DigiCert (digicert.com/kb/digicert-root-certificates.htm), Sectigo (support.sectigo.com), Let's Encrypt (letsencrypt.org/certificates/).

Problem: Using Server SSL for incoming traffic

Solution: Traffic doesn't flow correctly. Client SSL = incoming from users to F5. Server SSL = outgoing from F5 to backend. The naming is from F5's perspective.

Problem: Key still encrypted — import fails with passphrase error

Solution: Decrypt the key first: `openssl rsa -in encrypted.key -out decrypted.key`

Problem: Do I need to restart the F5 after installing a certificate?

Solution: No. Certificate changes take effect immediately when you update the profile and virtual server. No reboot or restart needed.

Problem: Can I install the same certificate on multiple virtual servers?

Solution: Yes. Create one Client SSL profile and assign it to multiple virtual servers. The certificate only needs to be imported once.

Problem: What format should my certificate be in?

Solution: PEM format (text file starting with `-----BEGIN CERTIFICATE-----`). F5 also accepts DER and PKCS#12 via the GUI, but PEM is preferred and required for tmsh.

Problem: Where do I get the intermediate certificate?

Solution: From your Certificate Authority's documentation. DigiCert: digicert.com/kb/digicert-root-certificates.htm. Sectigo: support.sectigo.com. Let's Encrypt: letsencrypt.org/certificates/. Your CA's order confirmation email usually includes the chain.

Problem: How do I renew a certificate on F5?

Solution: Same process as a new install — import the new cert/key/chain, update the Certificate Key Chain in the existing Client SSL profile to point to the new files, test, then delete the old cert. You don't need to create new profiles.

Problem: What's the difference between Client SSL and Server SSL?

Solution: Client SSL handles incoming HTTPS traffic from users to F5. Server SSL handles outgoing HTTPS traffic from F5 to your backend servers. Most deployments only need Client SSL (SSL offload). See [F5 Client SSL vs Server SSL](/guides/f5-client-ssl-vs-server-ssl) for the full explanation.

Related Resources

📖 F5 SSL Profiles Explained 📖 F5 Certificate Chain Configuration 📖 F5 Client SSL vs Server SSL 📖 F5 SSL Troubleshooting 📖 F5 SSL Labs A+ Grade 📖 F5 SNI Configuration 🔧 SSL/TLS Configuration Checker 📖 Chain Builder ✅ 47-Day Readiness Audit 🎬 TLS Handshake Demo 🎬 Certificate Chain Demo

← Back to Checklists Library