Manual Chapter :
Device Certificate Management
Applies To:
Show Versions
BIG-IP APM
- 17.1.1, 17.1.0, 17.0.0
F5 SSL Orchestrator
- 17.1.1, 17.1.0, 17.0.0
BIG-IP Analytics
- 17.1.1, 17.1.0, 17.0.0
BIG-IP LTM
- 17.1.1, 17.1.0, 17.0.0
BIG-IP AFM
- 17.1.1, 17.1.0, 17.0.0
BIG-IP PEM
- 17.1.1, 17.1.0, 17.0.0
BIG-IP DNS
- 17.1.1, 17.1.0, 17.0.0
BIG-IP ASM
- 17.1.1, 17.1.0, 17.0.0
Device Certificate Management
About BIG-IP device
certificates and keys
Before BIG-IP systems can
exchange data with one another, they need to exchange device certificates, that is,
digital certificates and keys used for secure communication. For example, multiple
BIG-IP systems might need to verify credentials before communicating with each other to
collect performance data over a wide area network, for global traffic management.
A default device certificate and key are located in these directories
on the BIG-IP system:
- Device certificate file
- /config/httpd/conf/ssl.crt/server.crt
- Device key file
- /config/httpd/conf/ssl.key/server.key
The
BIG-IP system offers a certificate management user role for managing digital
certificates on the BIG-IP system.
Device certificate requirements
BIG-IP devices use SSL certificates for authentication and communication among BIG-IP devices on the network. For this authentication and communication between BIG-IP devices to function properly, you should be aware of the following:
- Device certificates must reside in the correct locations on each BIG-IP system.
- Device certificates must be valid and must not be expired.
- BIG-IP device group members require unique device certificates that you must maintain and renew independently.
- You must manage device certificates for any BIG-IP DNS (previously Global Traffic Manager) deployment.
- You must manage device certificates for any BIG-IP Application Acceleration Manager (AAM) symmetric deployment.
- For BIG-IP DNS deployments and AAM symmetric deployments, if you update or renew device certificates after they have expired, you must ensure that you copy the new certificates to the remote BIG-IP devices. BIG-IP devices exchange device certificates when running these scripts:bigip_add (BIG-IP DNS and AAM) big3d_install (BIG-IP DNS only)
About trusted device certificates
The BIG-IP system uses a trusted device certificate or a certificate
chain to authenticate another system. For example, a BIG-IP system running BIG-IP DNS might send a request to a Local Traffic Manager system. In this case, the Local Traffic Manager system receiving the
request checks its trusted device certificate or certificate chain to authenticate the
request.
BIG-IP Device Certificate Management
Importing a device certificate
You can use the Configuration utility to import a device certificate from a management workstation.
- From the Main tab, click .
- From theImport Typelist, selectCertificate.
- For theCertificate Sourcesetting, selectUpload Fileand browse to select the certificate to upload.
- ClickImport.
Renewing a device certificate
You can use the Configuration utility to renew a device certificate that has expired.
- From the Main tab, click .
- ClickRenew.
- Modify or retain the device certificate properties.
- ClickFinished.
Exporting a device certificate
You can use the Configuration utility to export a device certificate to a
management workstation.
- From the Main tab, click .
- ClickExport.
- ClickDownload server.crtto export a copy of the device certificate to the management workstation.
Importing a device certificate/key pair
You can use the Configuration utility to import a device certificate/key
pair from a management workstation.
- From the Main tab, click .
- ClickImport.
- From theImport Typelist, selectCertificate and Key.
- For theCertificate Sourcesetting, selectUpload Fileand browse to select the certificate to upload.
- For theKey Sourcesetting, selectUpload Fileand browse to select the key to upload.
- ClickImport.
