Manual Chapter : Device Certificate Management

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.1, 17.1.0, 17.0.0

F5 SSL Orchestrator

  • 17.1.1, 17.1.0, 17.0.0

BIG-IP Analytics

  • 17.1.1, 17.1.0, 17.0.0

BIG-IP LTM

  • 17.1.1, 17.1.0, 17.0.0

BIG-IP AFM

  • 17.1.1, 17.1.0, 17.0.0

BIG-IP PEM

  • 17.1.1, 17.1.0, 17.0.0

BIG-IP DNS

  • 17.1.1, 17.1.0, 17.0.0

BIG-IP ASM

  • 17.1.1, 17.1.0, 17.0.0
Manual Chapter

Device Certificate Management

About BIG-IP device certificates and keys

Before BIG-IP systems can exchange data with one another, they need to exchange device certificates, that is, digital certificates and keys used for secure communication. For example, multiple BIG-IP systems might need to verify credentials before communicating with each other to collect performance data over a wide area network, for global traffic management.
A default device certificate and key are located in these directories on the BIG-IP system:
Device certificate file
/config/httpd/conf/ssl.crt/server.crt
Device key file
/config/httpd/conf/ssl.key/server.key
The BIG-IP system offers a certificate management user role for managing digital certificates on the BIG-IP system.

Device certificate requirements

BIG-IP devices use SSL certificates for authentication and communication among BIG-IP devices on the network. For this authentication and communication between BIG-IP devices to function properly, you should be aware of the following:
  • Device certificates must reside in the correct locations on each BIG-IP system.
  • Device certificates must be valid and must not be expired.
  • BIG-IP device group members require unique device certificates that you must maintain and renew independently.
  • You must manage device certificates for any BIG-IP DNS (previously Global Traffic Manager) deployment.
  • You must manage device certificates for any BIG-IP Application Acceleration Manager (AAM) symmetric deployment.
  • For BIG-IP DNS deployments and AAM symmetric deployments, if you update or renew device certificates after they have expired, you must ensure that you copy the new certificates to the remote BIG-IP devices. BIG-IP devices exchange device certificates when running these scripts:
    bigip_add (BIG-IP DNS and AAM) big3d_install (BIG-IP DNS only)

About trusted device certificates

The BIG-IP system uses a trusted device certificate or a certificate chain to authenticate another system. For example, a BIG-IP system running BIG-IP DNS might send a request to a Local Traffic Manager system. In this case, the Local Traffic Manager system receiving the request checks its trusted device certificate or certificate chain to authenticate the request.

BIG-IP Device Certificate Management

Importing a device certificate

You can use the Configuration utility to import a device certificate from a management workstation.
  1. From the Main tab, click
    System
    Certificate Management
    Device Certificate Management
    Device Certificate
    .
  2. From the
    Import Type
    list, select
    Certificate
    .
  3. For the
    Certificate Source
    setting, select
    Upload File
    and browse to select the certificate to upload.
  4. Click
    Import
    .

Renewing a device certificate

You can use the Configuration utility to renew a device certificate that has expired.
  1. From the Main tab, click
    System
    Certificate Management
    Device Certificate Management
    Device Certificate
    .
  2. Click
    Renew
    .
  3. Modify or retain the device certificate properties.
  4. Click
    Finished
    .

Exporting a device certificate

You can use the Configuration utility to export a device certificate to a management workstation.
  1. From the Main tab, click
    System
    Certificate Management
    Device Certificate Management
    Device Certificate
    .
  2. Click
    Export
    .
  3. Click
    Download server.crt
    to export a copy of the device certificate to the management workstation.

Importing a device certificate/key pair

You can use the Configuration utility to import a device certificate/key pair from a management workstation.
  1. From the Main tab, click
    System
    Certificate Management
    Device Certificate Management
    Device Key
    .
  2. Click
    Import
    .
  3. From the
    Import Type
    list, select
    Certificate and Key
    .
  4. For the
    Certificate Source
    setting, select
    Upload File
    and browse to select the certificate to upload.
  5. For the
    Key Source
    setting, select
    Upload File
    and browse to select the key to upload.
  6. Click
    Import
    .