Applies To:
Show Versions
BIG-IP AAM
- 14.1.2, 14.1.0
BIG-IP APM
- 14.1.2, 14.1.0
BIG-IP Analytics
- 14.1.2, 14.1.0
BIG-IP Link Controller
- 14.1.2, 14.1.0
BIG-IP LTM
- 14.1.2, 14.1.0
BIG-IP PEM
- 14.1.2, 14.1.0
BIG-IP AFM
- 14.1.2, 14.1.0
BIG-IP DNS
- 14.1.2, 14.1.0
BIG-IP ASM
- 14.1.2, 14.1.0
Device Certificate Management
About BIG-IP device certificates and keys
Before BIG-IP systems can exchange data with one another, they need to exchange device certificates, that is, digital certificates and keys used for secure communication. For example, multiple BIG-IP systems might need to verify credentials before communicating with each other to collect performance data over a wide area network, for global traffic management.
A default device certificate and key are located in these directories on the BIG-IP system:
- Device certificate file
- /config/httpd/conf/ssl.crt/server.crt
- Device key file
- /config/httpd/conf/ssl.key/server.key
Device certificate requirements
BIG-IP® devices use SSL certificates for authentication and communication among BIG-IP devices on the network. For this authentication and communication between BIG-IP devices to function properly, you should be aware of the following:
- Device certificates must reside in the correct locations on each BIG-IP system.
- Device certificates must be valid and must not be expired.
- BIG-IP device group members require unique device certificates that you must maintain and renew independently.
- You must manage device certificates for any BIG-IP® DNS (previously Global Traffic Manager™) deployment.
- You must manage device certificates for any BIG-IP Application Acceleration Manager™ (AAM®) symmetric deployment.
- For BIG-IP DNS deployments and AAM symmetric deployments, if you update or renew device certificates
after they have expired, you must ensure that you copy the new certificates to the remote BIG-IP
devices. BIG-IP devices exchange device certificates when running these scripts:
bigip_add (BIG-IP DNS and AAM) big3d_install (BIG-IP DNS only)
About trusted device certificates
The BIG-IP® system uses a trusted device certificate or a certificate chain to authenticate another system. For example, a BIG-IP system running BIG-IP® DNS might send a request to a Local Traffic Manager™ system. In this case, the Local Traffic Manager system receiving the request checks its trusted device certificate or certificate chain to authenticate the request.
BIG-IP Device Certificate Management
Importing a device certificate
- From the Main tab, click System Certificate Management Device Certificate Management Device Certificate.
- From the Import Type list, select Certificate.
- For the Certificate Source setting, select Upload File and browse to select the certificate to upload.
- Click Import.
Renewing a device certificate
- From the Main tab, click System Certificate Management Device Certificate Management Device Certificate.
- Click Renew.
- Modify or retain the device certificate properties.
- Click Finished.
Exporting a device certificate
- From the Main tab, click System Certificate Management Device Certificate Management Device Certificate.
- Click Export.
- Click Download server.crt to export a copy of the device certificate to the management workstation.
Importing a device certificate/key pair
- From the Main tab, click System Certificate Management Device Certificate Management Device Key.
- Click Import.
- From the Import Type list, select Certificate and Key.
- For the Certificate Source setting, select Upload File and browse to select the certificate to upload.
- For the Key Source setting, select Upload File and browse to select the key to upload.
- Click Import.
