About managing CA-signed SSL certificates
You can create a Certificate Signing Request (CSR) directly from BIG-IQ Centralized Management, so it’s easy to create and renew CA-signed certificates for your BIG-IP devices. BIG-IQ provides a centralized view into which BIG-IP devices have CA-signed certificates, and which are about to expire.
To create or renew a CA-signed SSL certificate, you:
- From BIG-IQ, create a Certificate Signing Request (CSR) for the SSL certificate.
- Send the CSR to your certificate authority (CA).
- Import the signed SSL certificate to BIG-IQ you received from your CA.
Create a self-signed SSL certificate and key pair on BIG-IQ Centralized Management so you can centrally manage it. This saves you time because you don’t have to log on to individual BIG-IP devices to create, monitor, or deploy certificates.
-
At the top of the screen, click Configuration.
-
On the left, click LOCAL TRAFFIC > Certificate Management > Certificates & Keys.
-
Click the Create button.
-
In the Name field, type a name for this certificate.
-
If the partition is anything other than Common, type it into the Partition field.
-
From the Issuer list, select Self.
-
Complete the details for this certificate.
Note: A Subject Alternative Name is embedded in a certificate for X509 extension purposes. Supported names include email, DNS, URI, IP, and RID. For the Subject Alternative Name field, use the format of a comma-separated list of name:value pairs.
-
In the Key Properties area, select the key type and size.
-
If the key is encrypted, from the Key Security Type list, select Password and type the password for the key in the Key Password field.
Important: If you select Normal, BIG-IQ will store the key as unencrypted, which can put your data at risk.
-
In the Password and Confirm Password fields, type and confirm the password for this key pair.
-
Click the Save & Close button.
The certificate displays in the Certificates & Keys list.
You can now assign this SSL certificate and key pair to a Local Traffic Manager clientssl or serverssl profile. Before you deploy it to a BIG-IP device, you must add the clientssl or serverssl profile to that device’s LTM pinning policy. For more information about pinning, refer to the topic titled Managing Object Pinning in BIG-IQ: Security . For more information about deployments, refer to the topic titled Deploying Changes in Managing BIG-IP devices from BIG-IQ.
After you submit a CSR from BIG-IQ Centralized Management, your CA sends you a CA-signed SSL certificate.
You import the signed CA-signed certificate and key pair to BIG-IQ so you can centrally manage the certificate from BIG-IQ. This saves you time because you don’t have to log on to individual BIG-IP devices to monitor or deploy certificates.
-
At the top of the screen, click Configuration.
-
On the left, click LOCAL TRAFFIC > Certificate Management > Certificates & Keys.
-
Click the Import button.
-
From the Import Type list, select Certificate.
-
Select Create New.
-
For the Certificate Source setting:
- To upload the certificate’s file, select Upload File and click the Choose File button to navigate to the certificate file.
- To paste the content of the certificate file, select Paste Text and paste the certificate’s content into the Certificate Source field.
-
Click the Import button at the bottom of the screen.
You can now assign this SSL certificate and key pair to a Local Traffic Manager clientssl or serverssl profile. Before you deploy it to a BIG-IP device, you must add the clientssl or serverssl profile to that device’s LTM pinning policy. For more information about pinning, refer to the topic titled Managing Object Pinning in BIG-IQ: Security . For more information about deployments, refer to the topic titled Deploying Changes in Managing BIG-IP devices from BIG-IQ.