Manual Chapter :
SSL Certificates
Applies To:
Show VersionsBIG-IQ Centralized Management
- 6.0.0
SSL Certificates
How do I manage the local traffic SSL
certificates for my BIG-IP devices from BIG-IQ ?
BIG-IP® devices use traffic SSL certificates for secure communication.
Certificates stored on BIG-IQ® Centralized Management are in one of the
following states:
- Unmanaged- Each time you discover a BIG-IP device and import the LTM service, BIG-IQ imports the properties (metadata) of its SSL certificate and key pair, but not the actual certificate and key pair, themselves. These SSL certificates display asUnmanagedon BIG-IQ. You can monitor the expiration dates for unmanaged SSL certificates, and assign them to BIG-IP Local Traffic Manager™clientsslorserversslprofiles (as long as the BIG-IP devices already have those SSL certificates on them), but you can't deploy unmanaged certificates to BIG-IP devices.
- Managed- A complete SSL certificate includes a public/private key pair. When you import an SSL certificate and key pair to BIG-IQ, it displays asManaged. You can assign these managed SSL certificates to Local Traffic Managerclientsslorserversslprofiles, and deploy them to BIG-IP devices.
From one centralized location, BIG-IQ makes it easy for you to request, import, and manage
CA-signed SSL certificates, as well as import signed SSL certificates, keys, and PKCS #12
archive files created elsewhere. And if you want to create a self-signed certificate on BIG-IQ
for your managed devices, you can do that too.
Once you've imported or created an SSL certificate and keys, you can assign them to your
managed devices by associating them with a Local Traffic Manager
clientssl
or serverssl
profile, and deploying
it.Convert an SSL certificate and key pair
from unmanaged so you can deploy them to BIG-IP devices
When you discover a BIG-IP device, BIG-IQ Centralized Management imports its
SSL certificates' properties (metadata), but not the actual SSL certificates and key
pairs. These certificates display as
Unmanaged
on the BIG-IQ Certificates
& Keys screen. This allows you to monitor each SSL certificate's expiration date
from BIG-IQ, without having to log on directly to the BIG-IP device.Convert an unmanaged SSL key
certificate and key pair to managed so you can centrally manage it from BIG-IQ
Centralized Management. This saves you time because you don't have to log on to
individual BIG-IP devices to create, monitor, or deploy certificates.
- At the top of the screen, clickConfiguration.
- On the left, click.
- Click the name of the unmanaged certificate.
- For the Certificate PropertiesStatesetting, click theImportbutton and then:
- To upload the certificate's file, selectUpload Fileand click theChoose Filebutton to navigate to the certificate file.
- To paste the content of a certificate file, selectPaste Textand paste the certificate's content into theCertificate Sourcefield.
- For the Key PropertiesStatesetting, click theImportbutton and then:
- To upload the key's file, selectUpload Fileand click theChoose Filebutton to navigate to the key file.
- To paste the content of a key file, selectPaste Textand paste the key's content into theKey Sourcefield.
- Click theSave & Closebutton.
The SSL certificate now displays as
Managed
on the Certificates & Keys screen.
You can now assign this SSL certificate and key pair to a Local Traffic Manager
clientssl
or serverssl
profile. Before you deploy it to a BIG-IP device, you must add the clientssl
or serverssl
profile to that device's LTM pinning policy.
For more information about pinning, refer to the topic titled Managing Object Pinning
in F5 BIG-IQ Centralized Management: Security
. For more information about deployments, refer to the topic titled Deploying Changes
in F5 BIG-IQ Centralized Management: Device
.
Create a self-signed certificate on BIG-IQ for your managed devices
Create a self-signed SSL certificate
and key pair on BIG-IQ Centralized Management so you can centrally
manage it. This saves you time because you don't have to log on to individual BIG-IP devices to create, monitor, or deploy
certificates.
- At the top of the screen, clickConfiguration.
- On the left, click.
- Near the top of the screen, click theCreatebutton.
- In theNamefield, type a name for this certificate.
- If the partition is anything other thanCommon, type it into thePartitionfield.
- From theIssuerlist, selectSelf.
- Complete the details for this certificate.A Subject Alternative Name is embedded in a certificate for X509 extension purposes. Supported names include email, DNS, URI, IP, and RID. For theSubject Alternative Namefield, use the format of a comma-separated list ofname:valuepairs.
- In the Key Properties area, select the key type and size.
- If the key is encrypted, from theKey Security Typelist, selectPasswordand type the password for the key in theKey Passwordfield.If you selectNormal, BIG-IQ will store the key as unencrypted, which can put your data at risk.
- In thePasswordandConfirm Passwordfields, type and confirm the password for this key pair.
- Click theSave & Closebutton.
The certificate displays in the
Certificates & Keys list.
You can now assign this SSL certificate and key pair to a Local Traffic Manager
clientssl
or serverssl
profile. Before you deploy it to a BIG-IP device, you must add the clientssl
or serverssl
profile to that device's LTM pinning policy.
For more information about pinning, refer to the topic titled Managing Object Pinning
in F5 BIG-IQ Centralized Management: Security
. For more information about deployments, refer to the topic titled Deploying Changes
in F5 BIG-IQ Centralized Management: Device
.
About managing CA-signed SSL
certificates
You can create a Certificate Signing Request (CSR) directly from BIG-IQ®
Centralized Management, so it's easy to create and renew CA-signed certificates for your BIG-IP® devices. BIG-IQ provides a centralized view into which BIG-IP
devices have CA-signed certificates, and which are about to expire.
To create or renew a CA-signed SSL certificate, you:
- From BIG-IQ, create a Certificate Signing Request (CSR) for the SSL certificate.
- Send the CSR to your certificate authority (CA).
- Import the signed SSL certificate to BIG-IQ you received from your CA.
Create a CSR for a CA-signed certificate
You create a Certificate Signing
Request (CSR) on BIG-IQ Centralized Management as the first step
to creating a CA-signed certificate.
- At the top of the screen, clickConfiguration.
- On the left, click.
- Click theCreatebutton.
- In theNamefield, type a name for this certificate.
- If the partition is anything other thanCommon, type it into thePartitionfield.
- From theIssuerlist, selectCertificate Authority.
- Complete the details for this certificate.A Subject Alternative Name is embedded in a certificate for X509 extension purposes. Supported names include email, DNS, URI, IP, and RID. For theSubject Alternative Namefield, use the format of a comma-separated list ofname:valuepairs.
- In the Key Properties area, select the key type and size.
- If the key is encrypted, from theKey Security Typelist, selectPasswordand type the password for the key in theKey Passwordfield.If you selectNormal, BIG-IQ will store the key as unencrypted, which can put your data at risk.
- Complete any required Certificate Signing Request Attributes.
- Click theSave & Closebutton.
BIG-IQ creates the CSR and the key
pair.
Submit the CSR to your CA for a
signature. When you receive the signed certificate back from your CA, you can import it
to BIG-IQ to start managing it.
Import a CA-signed SSL certificate to
BIG-IQ for your managed devices
After you submit a CSR from BIG-IQ Centralized Management, your CA sends you a CA-signed SSL
certificate.
You import the signed CA-signed
certificate and key pair to BIG-IQ so you can centrally manage the certificate from
BIG-IQ. This saves you time because you don't have to log on to individual BIG-IP devices to monitor or deploy certificates.
- At the top of the screen, clickConfiguration.
- On the left, click.
- Near the top of the screen, click theImportbutton.
- From theImport Typelist, selectCertificate.
- SelectCreate New.
- For theCertificate Sourcesetting:
- To upload the certificate's file, selectUpload Fileand click theChoose Filebutton to navigate to the certificate file.
- To paste the content of the certificate file, selectPaste Textand paste the certificate's content into theCertificate Sourcefield.
- Click theImportbutton at the bottom of the screen.
You can now assign this SSL certificate and key pair to a Local Traffic Manager
clientssl
or serverssl
profile. Before you deploy it to a BIG-IP device, you must add the clientssl
or serverssl
profile to that device's LTM pinning policy.
For more information about pinning, refer to the topic titled Managing Object Pinning
in F5 BIG-IQ Centralized Management: Security
. For more information about deployments, refer to the topic titled Deploying Changes
in F5 BIG-IQ Centralized Management: Device
.
About SSL certificates, keys, and PKCS #12
SSL archive files created outside of BIG-IQ
About SSL certificates, keys, and PKCS #12
SSL archive files created outside of BIG-IQ
There might be some cases where you've created an SSL certificate, key, or a PKCS #12 SSL
archive file on a system other than BIG-IQ® Centralized Management. In those
cases, you can easily import the certificates, keys, and files to BIG-IQ so you can centrally
manage them for your BIG-IP® devices.
Import an SSL certificate so you can
deploy it to a BIG-IP device
You can import an SSL certificate to
BIG-IQ Centralized Management that you created on another
system so you can manage it.
- On the left, click.
- Near the top of the screen, click theImportbutton.
- From theImport Typelist, selectCertificate.
- If the partition is anything other thanCommon, type it into thePartitionfield.
- For theCertificate Namesetting, selectCreate NeworOverwrite Existing.
- If you selectedOverwrite Existing, select the certificate you want to overwrite.
- For theCertificate Sourcesetting:
- To upload the certificate's file, selectUpload Fileand click theChoose Filebutton to navigate to the certificate file.
- To paste the content of the certificate file, selectPaste Textand paste the certificate's content into theCertificate Sourcefield.
- Click theImportbutton at the bottom of the screen.
The certificate displays in the
Certificates & Keys list.
You can now import the key for this certificate.
Import a key for an SSL certificate so you
can deploy it to a BIG-IP device
After you import a certificate to BIG-IQ Centralized
Management, you can import its associated key pair.
Import a key pair for an SSL
certificate you created on a different system so you can centrally manage the
certificate from BIG-IQ. This saves you time because you don't have to log on to
individual BIG-IP devices to monitor and deploy certificates.
- At the top of the screen, clickConfiguration.
- On the left, click.
- Near the top of the screen, click theImportbutton.
- From theImport Typelist, selectKey.
- If the partition is anything other thanCommon, type it into thePartitionfield.
- For thePKCS12 Namesetting, selectCreate NeworOverwrite Existing.
- If you selectedOverwrite Existing, select the key you want to overwrite.
- For the PKCS12 Source setting, click theChoose Filebutton to navigate to the file.
- If the file is encrypted, into thePKCS12 Passwordfield, type the password for the file.
- If the key is encrypted, into theKey Passwordfield, type the password for the key.
- Click theImportbutton at the bottom of the screen.
The PKCS12 file displays in the
Certificates & Keys list.
Import a PKCS #12 SSL archive file so you
can deploy it to a BIG-IP device
Import a PKCS #12 SSL archive file
you created on another system to BIG-IQ Centralized Management to
centrally manage it. This saves you time because you don't have to log on to individual
BIG-IP devices to monitor or deploy it.
- At the top of the screen, clickConfiguration.
- On the left, click.
- Near the top of the screen, click theImportbutton.
- From theImport Typelist, selectPKCS#12.
- For thePKCS12 Name, selectCreate NeworOverwrite Existing.
- If you selectedOverwrite Existing, select the file you want to overwrite.
- For thePKCS12 Sourcesetting, selectUpload FileandChoose Fileto navigate to the file.
- In thePKCS12 Passwordfield, type the password.
- If the key is encrypted, from theKey Security Typelist, selectPasswordand type the password for the key in theKey Passwordfield.If you selectNormal, BIG-IQ will store the key as unencrypted, which can put your data at risk.
- Click theImportbutton at the bottom of the screen.
The certificate displays in the
Certificates & Keys list.
You can now assign this SSL certificate and key pair to a Local Traffic Manager
clientssl
or serverssl
profile. Before you deploy it to a BIG-IP device, you must add the clientssl
or serverssl
profile to that device's LTM pinning policy.
For more information about pinning, refer to the topic titled Managing Object Pinning
in F5 BIG-IQ Centralized Management: Security
. For more information about deployments, refer to the topic titled Deploying Changes
in F5 BIG-IQ Centralized Management: Device
.
How do I manage Certificate Revocation Lists
from BIG-IQ?
A Certificate Revocation List (CRL) is crucial part of helping your BIG-IP devices securely
pass internet traffic by ensuring sure your BIG-IP devices accept only traffic with valid and
trustworthy certificates. From BIG-IQ Centralized Management, you can easily import and manage
your BIG-IP devices CRLs conveniently from one location.
Import a Certificate Revocation List
file
When you discover a BIG-IP device,
BIG-IQ Centralized Management imports its meta-data for the PEM-formatted Certificate
Revocation List (CRL).
Import a BIG-IP device's CRL file to BIG-IQ so you can manage it.
- At the top of the screen, clickConfiguration.
- Click theImportbutton.
- In thePartitionfield, type the partition where you want to store the CRL file.
- ClickChoose Fileand navigate to the location of the file.Alternatively, you selectPaste Textand paste the CRL file's contents into theSourcefield.
- Click theSave & Closebutton.
The CRL file displays as managed in
the Certificate Revocation list.