Applies To:
Show VersionsSSL Certificates
How do I manage the local traffic SSL certificates for my BIG-IP devices from BIG-IQ ?
BIG-IP® devices use traffic SSL certificates for secure communication. Certificates stored on BIG-IQ® Centralized Management are in one of the following states:
- Unmanaged - Each time you discover a BIG-IP device and import the LTM service, BIG-IQ imports the properties (metadata) of its SSL certificate and key pair, but not the actual certificate and key pair, themselves. These SSL certificates display as Unmanaged on BIG-IQ. You can monitor the expiration dates for unmanaged SSL certificates, and assign them to BIG-IP Local Traffic Manager™ clientssl or serverssl profiles (as long as the BIG-IP devices already have those SSL certificates on them), but you can't deploy unmanaged certificates to BIG-IP devices.
- Managed - A complete SSL certificate includes a public/private key pair. When you import an SSL certificate and key pair to BIG-IQ, it displays as Managed. You can assign these managed SSL certificates to Local Traffic Manager clientssl or serverssl profiles, and deploy them to BIG-IP devices.
From one centralized location, BIG-IQ makes it easy for you to request, import, and manage CA-signed SSL certificates, as well as import signed SSL certificates, keys, and PKCS #12 archive files created elsewhere. And if you want to create a self-signed certificate on BIG-IQ for your managed devices, you can do that too.
Once you've imported or created an SSL certificate and keys, you can assign them to your managed devices by associating them with a Local Traffic Manager clientssl or serverssl profile, and deploying it.
Convert an SSL certificate and key pair from unmanaged so you can deploy them to BIG-IP devices
- At the top of the screen, click Configuration.
- On the left, click .
- Click the name of the unmanaged certificate.
-
For the Certificate Properties State setting, click the
Import button and then:
- To upload the certificate's file, select Upload File and click the Choose File button to navigate to the certificate file.
- To paste the content of a certificate file, select Paste Text and paste the certificate's content into the Certificate Source field.
-
For the Key Properties State setting, click the
Import button and then:
- To upload the key's file, select Upload File and click the Choose File button to navigate to the key file.
- To paste the content of a key file, select Paste Text and paste the key's content into the Key Source field.
- Click the Save & Close button.
Create a self-signed certificate on BIG-IQ for your managed devices
About managing CA-signed SSL certificates
You can create a Certificate Signing Request (CSR) directly from BIG-IQ® Centralized Management, so it's easy to create and renew CA-signed certificates for your BIG-IP® devices. BIG-IQ provides a centralized view into which BIG-IP devices have CA-signed certificates, and which are about to expire.
- From BIG-IQ, create a Certificate Signing Request (CSR) for the SSL certificate.
- Send the CSR to your certificate authority (CA).
- Import the signed SSL certificate to BIG-IQ you received from your CA.
Create a CSR for a CA-signed certificate
Import a CA-signed SSL certificate to BIG-IQ for your managed devices
- At the top of the screen, click Configuration.
- On the left, click .
- Near the top of the screen, click the Import button.
- From the Import Type list, select Certificate.
- Select Create New.
-
For the Certificate Source setting:
- To upload the certificate's file, select Upload File and click the Choose File button to navigate to the certificate file.
- To paste the content of the certificate file, select Paste Text and paste the certificate's content into the Certificate Source field.
- Click the Import button at the bottom of the screen.
About SSL certificates, keys, and PKCS #12 SSL archive files created outside of BIG-IQ
There might be some cases where you've created an SSL certificate, key, or a PKCS #12 SSL archive file on a system other than BIG-IQ® Centralized Management. In those cases, you can easily import the certificates, keys, and files to BIG-IQ so you can centrally manage them for your BIG-IP® devices.
Import an SSL certificate so you can deploy it to a BIG-IP device
- On the left, click .
- Near the top of the screen, click the Import button.
- From the Import Type list, select Certificate.
- If the partition is anything other than Common, type it into the Partition field.
- For the Certificate Name setting, select Create New or Overwrite Existing.
- If you selected Overwrite Existing, select the certificate you want to overwrite.
-
For the Certificate Source setting:
- To upload the certificate's file, select Upload File and click the Choose File button to navigate to the certificate file.
- To paste the content of the certificate file, select Paste Text and paste the certificate's content into the Certificate Source field.
- Click the Import button at the bottom of the screen.
Import a key for an SSL certificate so you can deploy it to a BIG-IP device
- At the top of the screen, click Configuration.
- On the left, click .
- Near the top of the screen, click the Import button.
- From the Import Type list, select Key.
- If the partition is anything other than Common, type it into the Partition field.
- For the PKCS12 Name setting, select Create New or Overwrite Existing.
- If you selected Overwrite Existing, select the key you want to overwrite.
- For the PKCS12 Source setting, click the Choose File button to navigate to the file.
- If the file is encrypted, into the PKCS12 Password field, type the password for the file.
- If the key is encrypted, into the Key Password field, type the password for the key.
- Click the Import button at the bottom of the screen.
Import a PKCS #12 SSL archive file so you can deploy it to a BIG-IP device
How do I manage Certificate Revocation Lists from BIG-IQ?
A Certificate Revocation List (CRL) is crucial part of helping your BIG-IP devices securely pass internet traffic by ensuring sure your BIG-IP devices accept only traffic with valid and trustworthy certificates. From BIG-IQ Centralized Management, you can easily import and manage your BIG-IP devices CRLs conveniently from one location.
Import a Certificate Revocation List file
Import a BIG-IP device's CRL file to BIG-IQ so you can manage it.