Applies To:

Show Versions Show Versions

Manual Chapter: Enterprise Manager Administrator Guide: Managing Device Certificates
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


8

Managing Device Certificates


Working with device certificates

Because the BIG-IP Local Traffic Manager (LTM) can control your SSL traffic, you may have a large number of SSL and web certificates on many different LTM devices your network.

Enterprise Manager can provide a quick overview of all the server certificates and web certificates on each managed device in the network. You can use Enterprise Manager to monitor which certificates are nearing their expiration date, and which ones have expired. Using this overview can save you time over monitoring certificate expiration dates on individual LTM devices.

Monitoring device certificates

When Enterprise Manager adds a device to the device list, you have the option to monitor the expiration status of all the certificates on the managed device. You can view the status of both traffic certificates and system certificates. Traffic certificates are server certificates that a managed device uses in its traffic management tasks. System certificates are the web certificates that allow client systems to log into the BIG-IP system Configuration utility.

Enabling certificate monitoring

By default, certificate monitoring is enabled for all managed devices, however, you may specify which specific device or device groups you want to monitor. If you choose to monitor a device group, you automatically monitor all of the certificates on all of the devices that are members of the device group.

To enable certificate monitoring

You can control which devices or device groups participate in certificate management from the same screen.

  1. On the Main tab of the navigation pane, expand Enterprise Management and click Certificates.
    The Traffic Certificates list screen opens.
  2. On the menu bar, click Options.
    The Certificate Options screen opens.
  3. For the Devices or Device Groups settings, in the Disabled box, click the name of a device or device group.
  4. Click the Move (<<) button.
    The selected device or device group moves to the Enabled box.
  5. Click Save Changes.
    Enterprise Manager now monitors certificates defined on the devices and device groups that you moved to the Enabled box.

If you no longer want to monitor certificates on a device or device group, you can disable a device or device group's participation on the same screen that you enable it. If you disable certificate monitoring for a device, certificates for the device no longer appear on certificate lists, and certificate expiration alerts for this device no longer apply.

To disable certificate monitoring

  1. On the Main tab of the navigation pane, expand Enterprise Management and click Certificates.
    The Traffic Certificates list screen opens.
  2. On the menu bar, click Options.
    The Certificate Options screen opens.
  3. In the Devices or Device Groups row, in the Enabled box, click the name of a device or device group.
  4. Click the Move (>>) button.
    The selected device or device group moves to the Disabled box.
  5. Click Save Changes.
    Enterprise Manager no longer monitors certificates defined on the devices and device groups that you moved to the Disabled box.

Working with the certificate list screens

You can view either traffic certificates or system certificates on their own certificate list screens. These screens provide a quick overview of vital certificate information such as the expiration status, name, the device the certificate is configured on, the common name, and expiration date and time.

Status flags offer the quickest view on the status of a certificate. Table 8.1 outlines the status flags.

 

Table 8.1 Certificate status flags
Status Flag
Expiration Status

 

 

The Red Status Flag indicates that the certificate has expired. When client systems require this certificate for authentication, the client receives an expired certificate warning.

 

 

The Yellow Status Flag indicates that a certificate will expire in 30 days or less. The certificate is still valid, but you should take action to prevent certificate expiration.

 

 

The Green Status Flag indicates that a certificate is valid and will remain valid for at least 30 more days.

 

When working with the certificate list screens, you can sort the list by clicking the respective column headings, or you can filter the list to display only certificates with a particular status flag.

 

 

Figure 8.1 The Traffic Certificates screen outlines important certificate information

To filter the list by status flag

  1. In the Status column, click the down arrow.
    A menu appears indicating the status flags.
  2. From the menu, choose a status flag.
    The table changes to display only certificates that match the status flag you selected.

To view detailed certificate information

If you want to view additional details about a particular certificate, click the name of a certificate to open the certificate properties screen.

Creating alerts for certificate expiration

If you require more precise notification of certificate expiration dates, you can create a custom alert. When you create a custom alert on the New Alert screen, in the Alert Type box, select Certificate Expiration. Once you select this type of alert, you can configure an alert based on the number of days until the certificate expires. For detailed instructions on how to create alert instances and configure alert actions, see Configuring custom alerts, on page 7-4 .

Note

You cannot configure certificate-based alerts on devices or device groups until you enable certificate monitoring on those devices or device groups.



Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)