Importing SSL certificates, keys, and PKCS #12 SSL archive files created outside of BIG-IQ
There might be some cases where you’ve created an SSL certificate, key, or a PKCS SSL archive file on a system other than BIG-IQ Centralized Management. In those cases, you can easily import the certificates, keys, and files to BIG-IQ so you can centrally manage them for your BIG-IP devices.
To import certificates, you must have administrative role access and TMSH or bash shell access.
You can import a single SSL certificate hosted on a discovered BIG-IP device so you can manage it.
-
At the top of the screen, click Configuration.
-
On the left, click LOCAL TRAFFIC > Certificate Management > Certificates & Keys.
-
Near the top of the screen, click the Import button.
-
From the Import Type List select Certificate
-
If the silo is anything other than Default, select from the list in the Silo field.
-
If the partition is anything other than Common, type it into the Partition field.
-
For the Certificate Namesetting, select Create New or Overwrite Existing.
-
If you selected Overwrite Existing, select the certificate you want to overwrite.
-
For the Certificate Source setting:
- To upload the certificate’s file, select Upload File and click the Choose File button to navigate to the certificate file.
- To paste the content of the certificate file, select Paste Text and paste the certificate’s content into the Certificate Source field.
-
Click the Import button at the bottom of the screen.
The certificate displays in the Certificates & Keys list.
You can now assign this certificate to your managed BIG-IP VE devices.
To import from a BIG-IP device, the device must be discovered by BIG IQ. See Managing BIG-IP Devices from BIG-IQ for more information. You must also have administrative role access and TMSH or bash shell access.
To import from a third party certificate authority (CA) provider, you must integrate the certificate management authority with BIG-IQ. See Integrating Third Party Certificate Management for more information.
You can import existing certificates and keys from external sources, such as discovered BIG-IP devices and third party CA providers.
-
At the top of the screen, click Configuration.
-
On the left, click LOCAL TRAFFIC > Certificate Management > Certificates & Keys.
-
Click the Import button.
-
From the Import Type List select
- Import from BIG-IP Devices to import certificates from devices.
- Import from CA Providers to import certificates from a third party CA. Once you select an option, the screen displays a list of devices and providers configured to your system.
-
Select the check box next to the item(s) on your list from which you would like to import certificates.
For BIG-IP devices, to import certificates with all their related objects (keys and CRLs), select the check box under the Retrieve All Objects column.
-
Add the username and password in for each select list item.
For multiple list selections that share the same password, add the username per row, and click Edit Multiple.
-
When you are done, click Import at the bottom of the screen.
The certificates associated with the selected list items are imported to BIG-IQ. You will be able to view the additions in the Certificates and Keys list.
After you import a certificate to BIG-IQ Centralized Management, you can import its associated key pair.
Import a key pair for an SSL certificate you created on a different system so you can centrally manage the certificate from BIG-IQ. This saves you time because you don’t have to log on to individual BIG-IP devices to monitor and deploy certificates.
-
At the top of the screen, click Configuration.
-
On the left, click LOCAL TRAFFIC > Certificate Management > Certificates & Keys.
-
Near the top of the screen, click the Import button.
-
From the Import Type list, select Key.
-
If the partition is anything other than Common, type it into the Partition field.
-
For the PKCS12 Name setting, select Create New or Overwrite Existing.
-
If you selected Overwrite Existing, select the key you want to overwrite.
-
For the PKCS12 Source setting, click the Choose File button to navigate to the file.
-
If the file is encrypted, into the PKCS12 Password field, type the password for the file.
-
If the key is encrypted, into the Key Password field, type the password for the key.
-
Click the Import button at the bottom of the screen.
The PKCS12 file displays in the Certificates & Keys list.
Import a PKCS #12 SSL archive file you created on another system to BIG-IQ Centralized Management to centrally manage it. This saves you time because you don’t have to log on to individual BIG-IP devices to monitor or deploy it.
-
At the top of the screen, click Configuration.
-
On the left, click LOCAL TRAFFIC > Certificate Management > Certificates & Keys.
-
Near the top of the screen, click the Import button.
-
From the Import Type list, select PKCS#12.
-
For the PKCS12 Name, select Create New or Overwrite Existing.
-
If you selected Overwrite Existing, select the file you want to overwrite.
-
For the PKCS12 Source setting, select Upload File and Choose File to navigate to the file.
-
In the PKCS12 Password field, type the password.
-
If the key is encrypted, from the Key Security Type list, select Password and type the password for the key in the Key Password field.
Important: If you select Normal, BIG-IQ will store the key as unencrypted, which can put your data at risk.
-
Click the Import button at the bottom of the screen.
The certificate displays in the Certificates & Keys list.
You can now assign this SSL certificate and key pair to a Local Traffic Manager clientssl or serverssl profile. Before you deploy it to a BIG-IP device, you must add the clientssl or serverssl profile to that device’s LTM pinning policy. For more information about pinning, refer to the topic titled Managing Object Pinning in BIG-IQ: Security . For more information about deployments, refer to the topic titled Deploying Changes in Managing BIG-IP devices from BIG-IQ.