Manual Chapter : Device Certificate Management

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP APM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP Link Controller

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP Analytics

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP LTM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP AFM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP PEM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP DNS

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP ASM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

About BIG-IP device certificates and keys

Before BIG-IP® systems can exchange data with one another, they need to exchange device certificates, that is, digital certificates and keys used for secure communication. For example, multiple BIG-IP systems might need to verify credentials before communicating with each other to collect performance data over a wide area network, for global traffic management.

A default device certificate and key are located in these directories on the BIG-IP system:

Device certificate file
/config/httpd/conf/ssl.crt/server.crt
Device key file
/config/httpd/conf/ssl.key/server.key
Note: The BIG-IP system offers a certificate management user role for managing digital certificates on the BIG-IP system.

Device certificate requirements

BIG-IP® devices use SSL certificates for authentication and communication among BIG-IP devices on the network. For this authentication and communication between BIG-IP devices to function properly, you should be aware of the following:

  • Device certificates must reside in the correct locations on each BIG-IP system.
  • Device certificates must be valid and must not be expired.
  • BIG-IP device group members require unique device certificates that you must maintain and renew independently.
  • You must manage device certificates for any BIG-IP® DNS (previously Global Traffic Manager™) deployment.
  • You must manage device certificates for any BIG-IP Application Acceleration Manager™ (AAM®) symmetric deployment.
  • For BIG-IP DNS deployments and AAM symmetric deployments, if you update or renew device certificates after they have expired, you must ensure that you copy the new certificates to the remote BIG-IP devices. BIG-IP devices exchange device certificates when running these scripts:
    bigip_add (BIG-IP DNS and AAM)
    big3d_install (BIG-IP DNS only)

About trusted device certificates

The BIG-IP® system uses a trusted device certificate or a certificate chain to authenticate another system. For example, a BIG-IP system running BIG-IP® DNS might send a request to a Local Traffic Manager™ system. In this case, the Local Traffic Manager system receiving the request checks its trusted device certificate or certificate chain to authenticate the request.

BIG-IP device certificate management

There are several tasks you can perform to manage device certificates on the BIG-IP® system.

Task list

Importing a device certificate

You can use the Configuration utility to import a device certificate from a management workstation.
  1. From the Main tab, click System > Certificate Management > Device Certificate Management > Device Certificate .
  2. Click Import.
  3. From the Import Type list, select Certificate.
  4. For the Certificate Source setting, select Upload File and browse to select the certificate to upload.
  5. Click Import.

Renewing a device certificate

You can use the Configuration utility to renew a device certificate that has expired.
  1. On the Main tab, click System > Certificate Management > Device Certificate Management > Device Certificate .
  2. Click Renew.
  3. Modify or retain the device certificate properties.
  4. Click Finished.

Exporting a device certificate

You can use the Configuration utility to export a device certificate to a management workstation.
  1. On the Main tab, click System > Certificate Management > Device Certificate Management > Device Certificate .
  2. Click Export.
  3. Click Download server.crt to export a copy of the device certificate to the management workstation.

Importing a device certificate/key pair

You can use the Configuration utility to import a device certificate/key pair from a management workstation.
  1. On the Main tab, click System > Certificate Management > Device Certificate Management > Device Key .
  2. Click Import.
  3. From the Import Type list, select Certificate and Key.
  4. For the Certificate Source setting, click Upload File.
  5. For the Key Source setting, click Upload File.
  6. Click Import.