Manual Chapter : SSL Certificates

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.1.0
Manual Chapter

SSL Certificates

How do I manage the local traffic SSL certificates for my BIG-IP devices from BIG-IQ ?

BIG-IP® devices use traffic SSL certificates for secure communication. Certificates stored on BIG-IQ Centralized Management are in one of the following states:
  • Unmanaged
    - Each time you discover a BIG-IP device and import the LTM service, BIG-IQ imports the properties (metadata) of its SSL certificate and key pair, but not the actual certificate and key pair, themselves. These SSL certificates display as
    Unmanaged
    on BIG-IQ. You can monitor the expiration dates for unmanaged SSL certificates, and assign them to BIG-IP Local Traffic Manager
    clientssl
    or
    serverssl
    profiles (as long as the BIG-IP devices already have those SSL certificates on them), but you can't deploy unmanaged certificates to BIG-IP devices.
  • Managed
    - A complete SSL certificate includes a public/private key pair. When you import an SSL certificate and key pair to BIG-IQ, it displays as
    Managed
    . You can assign these managed SSL certificates to Local Traffic Manager
    clientssl
    or
    serverssl
    profiles, and deploy them to BIG-IP devices.
From one centralized location, BIG-IQ makes it easy for you to request, import, and manage CA-signed SSL certificates, as well as import signed SSL certificates, keys, and PKCS #12 archive files created elsewhere. And if you want to create a self-signed certificate on BIG-IQ for your managed devices, you can do that too.
Once you've imported or created an SSL certificate and keys, you can assign them to your managed devices by associating them with a Local Traffic Manager
clientssl
or
serverssl
profile, and deploying it.

Convert an SSL certificate and key pair from unmanaged so you can deploy them to BIG-IP devices

When you discover a BIG-IP device, BIG-IQ imports the metadata for its SSL certificates' properties, but not the actual SSL certificates and key pairs. These certificates display as
Unmanaged
on the BIG-IQ Certificates & Keys screen.
Convert an unmanaged SSL key certificate and key pair to managed so you can centrally manage it from BIG-IQ. This allows you to monitor each SSL certificate's expiration date from BIG-IQ, without having to log on directly to the BIG-IP device.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    LOCAL TRAFFIC
    Certificate Management
    Certificates & Keys
    .
  3. Click the name of the unmanaged certificate.
  4. For the Certificate Properties
    State
    setting, click the
    Import
    button and then:
    • To upload the certificate's file, select
      Upload File
      and click the
      Choose File
      button to navigate to the certificate file.
    • To paste the content of a certificate file, select
      Paste Text
      and paste the certificate's content into the
      Certificate Source
      field.
  5. For the Key Properties
    State
    setting, click the
    Import
    button and then:
    • To upload the key's file, select
      Upload File
      and click the
      Choose File
      button to navigate to the key file.
    • To paste the content of a key file, select
      Paste Text
      and paste the key's content into the
      Key Source
      field.
  6. Click the
    Import
    button.
The SSL certificate now displays as
Managed
on the Certificates & Keys screen.
You can now assign this SSL certificate and key pair to a Local Traffic Manager
clientssl
or
serverssl
profile. Before you deploy it to a BIG-IP device, you must add the
clientssl
or
serverssl
profile to that device's LTM pinning policy. For more information about pinning, refer to the topic titled
Managing Object Pinning
in
BIG-IQ: Security
. For more information about deployments, refer to the topic titled
Deploying Changes
in
Managing BIG-IP devices from BIG-IQ
.

Create a self-signed certificate on BIG-IQ for your managed devices

Create a self-signed SSL certificate and key pair on BIG-IQ Centralized Management so you can centrally manage it. This saves you time because you don't have to log on to individual BIG-IP devices to create, monitor, or deploy certificates.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    LOCAL TRAFFIC
    Certificate Management
    Certificates & Keys
    .
  3. Click the
    Create
    button.
  4. In the
    Name
    field, type a name for this certificate.
  5. If the partition is anything other than
    Common
    , type it into the
    Partition
    field.
  6. From the
    Issuer
    list, select
    Self
    .
  7. Complete the details for this certificate.
    A Subject Alternative Name is embedded in a certificate for X509 extension purposes. Supported names include email, DNS, URI, IP, and RID. For the
    Subject Alternative Name
    field, use the format of a comma-separated list of
    name:value
    pairs.
  8. In the Key Properties area, select the key type and size.
  9. If the key is encrypted, from the
    Key Security Type
    list, select
    Password
    and type the password for the key in the
    Key Password
    field.
    If you select
    Normal
    , BIG-IQ will store the key as unencrypted, which can put your data at risk.
  10. In the
    Password
    and
    Confirm Password
    fields, type and confirm the password for this key pair.
  11. Click the
    Save & Close
    button.
The certificate displays in the Certificates & Keys list.
You can now assign this SSL certificate and key pair to a Local Traffic Manager
clientssl
or
serverssl
profile. Before you deploy it to a BIG-IP device, you must add the
clientssl
or
serverssl
profile to that device's LTM pinning policy. For more information about pinning, refer to the topic titled
Managing Object Pinning
in
BIG-IQ: Security
. For more information about deployments, refer to the topic titled
Deploying Changes
in
Managing BIG-IP devices from BIG-IQ
.

About managing CA-signed SSL certificates

You can create a Certificate Signing Request (CSR) directly fromBIG-IQ Centralized Management, so it's easy to create and renew CA-signed certificates for your BIG-IP devices. BIG-IQ provides a centralized view into which BIG-IP devices have CA-signed certificates, and which are about to expire.
To create or renew a CA-signed SSL certificate, you:
  • From BIG-IQ, create a Certificate Signing Request (CSR) for the SSL certificate.
  • Send the CSR to your certificate authority (CA).
  • Import the signed SSL certificate to BIG-IQ you received from your CA.

Create a CSR for a CA-signed certificate

You create a Certificate Signing Request (CSR) on BIG-IQ Centralized Management as the first step to creating a CA-signed certificate.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    LOCAL TRAFFIC
    Certificate Management
    Certificates & Keys
    .
  3. Click the
    Create
    button.
  4. In the
    Name
    field, type a name for this certificate.
  5. If the partition is anything other than
    Common
    , type it into the
    Partition
    field.
  6. From the
    Issuer
    list, select
    Certificate Authority
    .
  7. Complete the details for this certificate.
    A Subject Alternative Name is embedded in a certificate for X509 extension purposes. Supported names include email, DNS, URI, IP, and RID. For the
    Subject Alternative Name
    field, use the format of a comma-separated list of
    name:value
    pairs.
  8. In the Key Properties area, select the key type and size.
  9. If the key is encrypted, from the
    Key Security Type
    list, select
    Password
    and type the password for the key in the
    Key Password
    field.
    If you select
    Normal
    , BIG-IQ will store the key as unencrypted, which can put your data at risk.
  10. Complete any required Certificate Signing Request Attributes.
  11. Click the
    Save & Close
    button.
BIG-IQ creates the CSR and the key pair.
Submit the CSR to your CA for a signature. When you receive the signed certificate back from your CA, you can import it to BIG-IQ to start managing it.

Import a CA-signed SSL certificate to BIG-IQ for your managed devices

After you submit a CSR from BIG-IQ Centralized Management, your CA sends you a CA-signed SSL certificate.
You import the signed CA-signed certificate and key pair to BIG-IQ so you can centrally manage the certificate from BIG-IQ. This saves you time because you don't have to log on to individual BIG-IP devices to monitor or deploy certificates.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    LOCAL TRAFFIC
    Certificate Management
    Certificates & Keys
    .
  3. Click the
    Import
    button.
  4. From the
    Import Type
    list, select
    Certificate
    .
  5. Select
    Create New
    .
  6. For the
    Certificate Source
    setting:
    • To upload the certificate's file, select
      Upload File
      and click the
      Choose File
      button to navigate to the certificate file.
    • To paste the content of the certificate file, select
      Paste Text
      and paste the certificate's content into the
      Certificate Source
      field.
  7. Click the
    Import
    button at the bottom of the screen.
You can now assign this SSL certificate and key pair to a Local Traffic Manager
clientssl
or
serverssl
profile. Before you deploy it to a BIG-IP device, you must add the
clientssl
or
serverssl
profile to that device's LTM pinning policy. For more information about pinning, refer to the topic titled
Managing Object Pinning
in
BIG-IQ: Security
. For more information about deployments, refer to the topic titled
Deploying Changes
in
Managing BIG-IP devices from BIG-IQ
.

Importing SSL certificates, keys, and PKCS #12 SSL archive files created outside of BIG-IQ

There might be some cases where you've created an SSL certificate, key, or a PKCS #12 SSL archive file on a system other than BIG-IQ Centralized Management. In those cases, you can easily import the certificates, keys, and files to BIG-IQ so you can centrally manage them for your BIG-IP devices.

Import an SSL certificate for management

You can import a single SSL certificate hostedon a discovered BIG-IP device so you can manage it.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    LOCAL TRAFFIC
    Certificate Management
    Certificates & Keys
    .
  3. Near the top of the screen, click the
    Import
    button.
  4. From the
    Import Type List
    select
    Certificate
  5. If the silo is anything other than
    Default
    , select from the list in the
    Silo
    field.
  6. If the partition is anything other than
    Common
    , type it into the
    Partition
    field.
  7. For the
    Certificate Name
    setting, select
    Create New
    or
    Overwrite Existing
    .
  8. If you selected
    Overwrite Existing
    , select the certificate you want to overwrite.
  9. For the
    Certificate Source
    setting:
    • To upload the certificate's file, select
      Upload File
      and click the
      Choose File
      button to navigate to the certificate file.
    • To paste the content of the certificate file, select
      Paste Text
      and paste the certificate's content into the
      Certificate Source
      field.
  10. Click the
    Import
    button at the bottom of the screen.
The certificate displays in the Certificates & Keys list.
You can now assign this certificate to your managed BIG-IP VE devices.

Import certificates and keys from BIG-IP devices and third-party CA providers

To import from a BIG-IP device, the device must be discovered by BIG IQ. See
Managing BIG-IP Devices from BIG-IQ
for more information.
To import from a third party certificate authority (CA) provider, you must integrate the certificate management authority with BIG-IQ. See
Integrating Third Party Certificate Management
for more information.
You can import existing certificates and keys from external sources, such as discovered BIG-IP devices and third party CA providers.
  1. On the left, click
    LOCAL TRAFFIC
    Certificate Management
    Certificates & Keys
    .
  2. Click the
    Import
    button.
  3. From the
    Import Type List
    select
    • Import from BIG-IP Devices
      to import certificates from devices.
    • Import from CA Providers
      to import certificates from a third party CA.
    Once you select an option, the screen displays a list of devices and providers configured to your system.
  4. Select the check box next to the item(s) on your list from which you would like to import certificates.
    For BIG-IP devices, to import certificates with all their related objects (keys and CRLs), select the check box under the
    Retrieve All Objects
    column.
  5. Add the username and password in for each select list item.
    For multiple list selections that share the same password, add the username per row, and click
    Edit Multiple
    .
  6. When you are done, click
    Import
    at the bottom of the screen.
The certificates associated with the selected list items are imported to BIG-IQ. You will be able to view the additions in the Certificates and Keys list.

Import a PKCS# 12 key for an SSL certificate so you can deploy it to a BIG-IP device

After you import a certificate to BIG-IQ Centralized Management, you can import its associated key pair.
Import a key pair for an SSL certificate you created on a different system so you can centrally manage the certificate from BIG-IQ. This saves you time because you don't have to log on to individual BIG-IP devices to monitor and deploy certificates.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    LOCAL TRAFFIC
    Certificate Management
    Certificates & Keys
    .
  3. Near the top of the screen, click the
    Import
    button.
  4. From the
    Import Type
    list, select
    Key
    .
  5. If the partition is anything other than
    Common
    , type it into the
    Partition
    field.
  6. For the
    PKCS12 Name
    setting, select
    Create New
    or
    Overwrite Existing
    .
  7. If you selected
    Overwrite Existing
    , select the key you want to overwrite.
  8. For the PKCS12 Source setting, click the
    Choose File
    button to navigate to the file.
  9. If the file is encrypted, into the
    PKCS12 Password
    field, type the password for the file.
  10. If the key is encrypted, into the
    Key Password
    field, type the password for the key.
  11. Click the
    Import
    button at the bottom of the screen.
The PKCS12 file displays in the Certificates & Keys list.

Import a PKCS #12 SSL archive file so you can deploy it to a BIG-IP device

Import a PKCS #12 SSL archive file you created on another system to BIG-IQ Centralized Management to centrally manage it. This saves you time because you don't have to log on to individual BIG-IP devices to monitor or deploy it.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    LOCAL TRAFFIC
    Certificate Management
    Certificates & Keys
    .
  3. Near the top of the screen, click the
    Import
    button.
  4. From the
    Import Type
    list, select
    PKCS#12
    .
  5. For the
    PKCS12 Name
    , select
    Create New
    or
    Overwrite Existing
    .
  6. If you selected
    Overwrite Existing
    , select the file you want to overwrite.
  7. For the
    PKCS12 Source
    setting, select
    Upload File
    and
    Choose File
    to navigate to the file.
  8. In the
    PKCS12 Password
    field, type the password.
  9. If the key is encrypted, from the
    Key Security Type
    list, select
    Password
    and type the password for the key in the
    Key Password
    field.
    If you select
    Normal
    , BIG-IQ will store the key as unencrypted, which can put your data at risk.
  10. Click the
    Import
    button at the bottom of the screen.
The certificate displays in the Certificates & Keys list.
You can now assign this SSL certificate and key pair to a Local Traffic Manager
clientssl
or
serverssl
profile. Before you deploy it to a BIG-IP device, you must add the
clientssl
or
serverssl
profile to that device's LTM pinning policy. For more information about pinning, refer to the topic titled
Managing Object Pinning
in
BIG-IQ: Security
. For more information about deployments, refer to the topic titled
Deploying Changes
in
Managing BIG-IP devices from BIG-IQ
.

How do I manage Certificate Revocation Lists from BIG-IQ?

A Certificate Revocation List (CRL) is crucial part of helping your BIG-IP devices securely pass internet traffic by ensuring sure your BIG-IP devices accept only traffic with valid and trustworthy certificates. From BIG-IQ Centralized Management, you can easily import and manage your BIG-IP devices CRLs conveniently from one location.

Import a Certificate Revocation List file

When you discover a BIG-IP device, BIG-IQ Centralized Management imports its meta-data for the PEM-formatted Certificate Revocation List (CRL).
Import a BIG-IP device's CRL file to BIG-IQ so you can manage it.
  1. At the top of the screen, click
    Configuration
    .
  2. Click the
    Import
    button.
  3. In the
    Partition
    field, type the partition where you want to store the CRL file.
  4. Click
    Choose File
    and navigate to the location of the file.
    Alternatively, you select
    Paste Text
    and paste the CRL file's contents into the
    Source
    field.
  5. Click the
    Save & Close
    button.
The CRL file displays as managed in the Certificate Revocation list.