Manual Chapter : CE File - SSL Certificates

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.1.0
Manual Chapter

CE File - SSL Certificates

  1. On the left, click
    LOCAL TRAFFIC
    Certificate Management
    Certificates & Keys
    .
  2. On the left, click
    LOCAL TRAFFIC
    Certificate Management
    Third Party CA Management
    .
  3. On the left, click
    LOCAL TRAFFIC
    Certificate Management
    Certificates & Keys
    .
  4. Click the name of the unmanaged certificate.
  5. Click the name of the certificate.
  6. In the
    Name
    field, type a name for this certificate.
  7. If the partition is anything other than
    Common
    , type it into the
    Partition
    field.
  8. From the
    Issuer list
    , select an option.
    • Self
      - select this option if you want to create a self-signed certificate.
    • Certificate Authority
      - select this option to use a certificate authority.
  9. From the
    Issuer list
    , select
    Self
    .
  10. From the
    Issuer list
    , select
    Certificate Authority
    .
  11. Complete the details for this certificate.
    A Subject Alternative Name is embedded in a certificate for X509 extension purposes. Supported names include email, DNS, URI, IP, and RID. For the
    Subject Alternative Name
    field, use the format of a comma-separated list of
    name:value
    pairs.
  12. In the Key Properties area, select the key type and size.
  13. From the
    Import Type
    list, select
    Certificate
    .
  14. From the
    Import Type
    list, select
    Import from CA Providers
    .
  15. Select the check box next to
    Venafi
    , enter the passphrase, and click the
    Import
    button at the bottom of the screen.
  16. To renew certificates prior to their expiration, enable the
    Auto Renewal
    option.
    By default, enabling this option automatically renews certificates 7 days before expiration. You can select a longer period of time.
  17. To automatically deploy renewed certificates over your BIG-IP devices, enable the
    Auto Deploy
    option.
    By default, enabling this option automatically deploys renewed certificates at the time 00:00 (midnight) following certificate renewal. You can select a different time of day.
  18. For the
    Certificate Name
    setting, select
    Create New
    or
    Overwrite Existing
    .
  19. From the
    Import Type
    list, select
    Key
    .
  20. For Certificate Name, select
    Overwrite Existing
    and select the certificate you named when you created the CSR for this certificate.
  21. For the
    Key Name
    setting, select
    Create New
    or
    Overwrite Existing
    .
  22. If you selected
    Overwrite Existing
    , select the key you want to overwrite.
  23. If you selected
    Overwrite Existing
    , select the certificate you want to overwrite.
  24. For the
    Key Source
    setting: .
    • To upload the key's file, select select
      Upload File
      and click the
      Choose File
      button to navigate to the key file.
    • To paste the content of the key file, select
      Paste Text
      and paste the key's content into the
      Key Source
      field.
  25. For the
    Certificate Source
    setting:
    • To upload the certificate's file, select
      Upload File
      and click the
      Choose File
      button to navigate to the certificate file.
    • To paste the content of the certificate file, select
      Paste Text
      and paste the certificate's content into the
      Certificate Source
      field.
  26. From the
    Import Type
    list, select
    Certificate
    .
  27. From the
    Import Type
    list, select
    PKCS#12
    .
  28. If the key is encrypted, from the
    Key Security Type
    list, select
    Password
    and type the password for the key in the
    Key Password
    field.
    If you select
    Normal
    , BIG-IQ will store the key as unencrypted, which can put your data at risk.
  29. In the
    Password
    and
    Confirm Password
    fields, type and confirm the password for this key pair.
  30. Click the
    Import
    button at the bottom of the screen.
  31. Click the
    Create
    button at the bottom of the screen.
  32. At the top right of the screen, click the
    Renew Certificate
    button.
The certificate displays in the Certificates & Keys list.
You can now assign this SSL certificate and key pair to a Local Traffic Manager
clientssl
or
serverssl
profile. Before you deploy it to a BIG-IP device, you must add the
clientssl
or
serverssl
profile to that device's LTM pinning policy. For more information about pinning, refer to the topic titled
Managing Object Pinning
in
BIG-IQ: Security
. For more information about deployments, refer to the topic titled
Deploying Changes
in
Managing BIG-IP devices from BIG-IQ
.