Applies To:

Show Versions Show Versions

Manual Chapter: Managing Device Certificates
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

When you use BIG-IP® Local Traffic Manager to manage your SSL traffic, you can have a large number of SSL and web certificates on many different devices in your network. Traffic certificates are server certificates that a managed device uses in its traffic management tasks. System certificates are the web certificates that allow client systems to log into the BIG-IP system Configuration utility.
To assist you in managing these certificates, Enterprise Manager provides you a summary of vital certificate information for each managed device in your network that has certificate monitoring enabled.
When you monitor a device list, you automatically monitor all of the certificates on all of the devices that are members of that device list.
Certificate monitoring is enabled by default for all managed devices. If you no longer want to monitor certain certificates, you can disable a device or device lists certificate monitoring. When you disable certificate monitoring for a device, that certificate no longer displays on the certificate list, and certificate expiration alerts are cancelled.
On the Main tab, expand Enterprise Management, click Options, and select Certificates.
The Certificates list screen opens.
For the Devices or Device List setting, in the Enabled list, click the name of a device.
Click the Move (>>) (<<) buttons to move the select devices to the enabled or disabled list.
Click Save Changes.
Using this overview can save you time over monitoring certificate expiration dates on individual Local Traffic Manager devices.
Tip: If you require additional notification for expired or expiring certificates, you can create a certificate expiration alert. For detailed instructions, see To create a certificate expiration alert.
On the Main tab, expand Enterprise Management, and click Devices.
The Device List screen opens.
On the menu bar, click Monitored Certificates to view the system certificate list.
To view additional details about a particular certificate, click the name of a certificate to open the Certificate Properties screen.
In addition to the general certificate information, the certificate list screen also displays a status flag for each certificate. This provides you with a quick visual of the status for your certificates. Table 9.1, following, defines the status flags provided on the certificates page.
This certificate has expired. When client systems require this certificate for authentication, the client receives an expired certificate warning.
This certificate will expire in 30 days or less. The certificate is still valid, but you should take action to prevent certificate expiration.
In addition to monitoring certificate status from the certificate screens, you can also create an alert to log or send an email notification of an upcoming certificate expiration. You create a certificate expiration alert from the New Alert screen, where you can specify the devices or device list, the notification method, and how many days before the certificate expires you want to be notified.
Important: All devices display as available from the New Alert screen, even if certificate monitoring has not been enabled for the device. If you assign an alert to a device for which certificate monitoring is not enabled, the alert will fail. Before you create a device certificate alert, F5 recommends that you first verify that certificate monitoring is enabled for the device.
On the Main tab, expand Enterprise Management, click Alerts, and select Device Alerts.
The Device Alerts list screen opens.
Above the alert list, click Create.
The New Alert screen opens.
In the Name field, type a name for the alert, as you want it to appear in the Device Alerts screen.
Note: Once you create the alert, you cannot change the name.
From the Alert Type list, select Certificate Expiration.
For the Condition option, select the check box next to the number of days, before the certificate expires, that you want to be notified. You can also type a customized number of days in the Condition field.
In the Action section, select the check box next to the type of notification you want to receive.
If you selected the option to send an email, then for Email Recipient, you can use the default email recipient, or type the email address of a specific user:
To send an email to the default email recipient listed on the Alert Options screen, select the check box for the email.
If you selected the option to log a remote syslog event, then for Syslog Server Address, you can choose to use the default syslog server address, or type the server address of a different remote server:
To log an event on an alternate server, clear the check box and type a new syslog server address in the field.
For either the Devices or Device List setting, click a device or device list in the Available box to select it.
Click the Move button (<<) to move the selected devices or device lists to the Assigned box.
The alert now applies to devices and device lists displayed in the Assigned box.
Click Finished.
The Device Alerts screen opens, and the new alert appears in the list.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)