F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IQ Centralized Management
  4. BIG-IQ Centralized Management: Device
  5. SSL Certificates
Manual Chapter : SSL Certificates

Applies To:

Show Versions Show Versions
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

SSL Certificates

How do I manage the local traffic SSL certificates for my BIG-IP devices from BIG-IQ ?

BIG-IP® devices use traffic SSL certificates for secure communication. Certificates stored on BIG-IQ® Centralized Management are in one of the following states:

  • Unmanaged - Each time you discover a BIG-IP device and import the LTM service, BIG-IQ imports the properties (metadata) of its SSL certificate and key pair, but not the actual certificate and key pair, themselves. These SSL certificates display as Unmanaged on BIG-IQ. You can monitor the expiration dates for unmanaged SSL certificates, and assign them to BIG-IP Local Traffic Manager™ clientssl or serverssl profiles (as long as the BIG-IP devices already have those SSL certificates on them), but you can't deploy unmanaged certificates to BIG-IP devices.
  • Managed - A complete SSL certificate includes a public/private key pair. When you import an SSL certificate and key pair to BIG-IQ, it displays as Managed. You can assign these managed SSL certificates to Local Traffic Manager clientssl or serverssl profiles, and deploy them to BIG-IP devices.

From one centralized location, BIG-IQ makes it easy for you to request, import, and manage CA-signed SSL certificates, as well as import signed SSL certificates, keys, and PKCS #12 archive files created elsewhere. And if you want to create a self-signed certificate on BIG-IQ for your managed devices, you can do that too.

Once you've imported or created an SSL certificate and keys, you can assign them to your managed devices by associating them with a Local Traffic Manager clientssl or serverssl profile, and deploying it.

Convert an SSL certificate and key pair from unmanaged so you can deploy them to BIG-IP devices

When you discover a BIG-IP device, BIG-IQ Centralized Management imports its SSL certificates' properties (metadata), but not the actual SSL certificates and key pairs. These certificates display as Unmanaged on the BIG-IQ Certificates & Keys screen. This allows you to monitor each SSL certificate's expiration date from BIG-IQ, without having to log on directly to the BIG-IP device.
Convert an unmanaged SSL key certificate and key pair to managed so you can centrally manage it from BIG-IQ Centralized Management. This saves you time because you don't have to log on to individual BIG-IP devices to create, monitor, or deploy certificates.
  1. At the top of the screen, click Configuration.
  2. On the left, click LOCAL TRAFFIC > Certificate Management > Certificates & Keys.
  3. Click the name of the unmanaged certificate.
  4. For the Certificate Properties State setting, click the Import button and then:
    • To upload the certificate's file, select Upload File and click the Choose File button to navigate to the certificate file.
    • To paste the content of a certificate file, select Paste Text and paste the certificate's content into the Certificate Source field.
  5. For the Key Properties State setting, click the Import button and then:
    • To upload the key's file, select Upload File and click the Choose File button to navigate to the key file.
    • To paste the content of a key file, select Paste Text and paste the key's content into the Key Source field.
  6. Click the Save & Close button.
The SSL certificate now displays as Managed on the Certificates & Keys screen.
You can now assign this SSL certificate and key pair to a Local Traffic Manager clientssl or serverssl profile. Before you deploy it to a BIG-IP device, you must add the clientssl or serverssl profile to that device's LTM pinning policy. For more information about pinning, refer to the topic titled Managing Object Pinning in F5 BIG-IQ Centralized Management: Security . For more information about deployments, refer to the topic titled Deploying Changes in F5 BIG-IQ Centralized Management: Device.

Create a self-signed certificate on BIG-IQ for your managed devices

Create a self-signed SSL certificate and key pair on BIG-IQ Centralized Management so you can centrally manage it. This saves you time because you don't have to log on to individual BIG-IP devices to create, monitor, or deploy certificates.
  1. At the top of the screen, click Configuration.
  2. On the left, click LOCAL TRAFFIC > Certificate Management > Certificates & Keys.
  3. Near the top of the screen, click the Create button.
  4. In the Name field, type a name for this certificate.
  5. If the partition is anything other than Common, type it into the Partition field.
  6. From the Issuer list, select Self.
  7. Complete the details for this certificate.
    Note: A Subject Alternative Name is embedded in a certificate for X509 extension purposes. Supported names include email, DNS, URI, IP, and RID. For the Subject Alternative Name field, use the format of a comma-separated list of name:value pairs.
  8. In the Key Properties area, select the key type and size.
  9. If the key is encrypted, from the Key Security Type list, select Password and type the password for the key in the Key Password field.
    Important: If you select Normal, BIG-IQ will store the key as unencrypted, which can put your data at risk.
  10. In the Password and Confirm Password fields, type and confirm the password for this key pair.
  11. Click the Save & Close button.
The certificate displays in the Certificates & Keys list.
You can now assign this SSL certificate and key pair to a Local Traffic Manager clientssl or serverssl profile. Before you deploy it to a BIG-IP device, you must add the clientssl or serverssl profile to that device's LTM pinning policy. For more information about pinning, refer to the topic titled Managing Object Pinning in F5 BIG-IQ Centralized Management: Security . For more information about deployments, refer to the topic titled Deploying Changes in F5 BIG-IQ Centralized Management: Device.

About managing CA-signed SSL certificates

You can create a Certificate Signing Request (CSR) directly from BIG-IQ® Centralized Management, so it's easy to create and renew CA-signed certificates for your BIG-IP® devices. BIG-IQ provides a centralized view into which BIG-IP devices have CA-signed certificates, and which are about to expire.

To create or renew a CA-signed SSL certificate, you:
  • From BIG-IQ, create a Certificate Signing Request (CSR) for the SSL certificate.
  • Send the CSR to your certificate authority (CA).
  • Import the signed SSL certificate to BIG-IQ you received from your CA.

Create a CSR for a CA-signed certificate

You create a Certificate Signing Request (CSR) on BIG-IQ Centralized Management as the first step to creating a CA-signed certificate.
  1. At the top of the screen, click Configuration.
  2. On the left, click LOCAL TRAFFIC > Certificate Management > Certificates & Keys.
  3. Click the Create button.
  4. In the Name field, type a name for this certificate.
  5. If the partition is anything other than Common, type it into the Partition field.
  6. From the Issuer list, select Certificate Authority.
  7. Complete the details for this certificate.
    Note: A Subject Alternative Name is embedded in a certificate for X509 extension purposes. Supported names include email, DNS, URI, IP, and RID. For the Subject Alternative Name field, use the format of a comma-separated list of name:value pairs.
  8. In the Key Properties area, select the key type and size.
  9. If the key is encrypted, from the Key Security Type list, select Password and type the password for the key in the Key Password field.
    Important: If you select Normal, BIG-IQ will store the key as unencrypted, which can put your data at risk.
  10. Complete any required Certificate Signing Request Attributes.
  11. Click the Save & Close button.
BIG-IQ creates the CSR and the key pair.
Submit the CSR to your CA for a signature. When you receive the signed certificate back from your CA, you can import it to BIG-IQ to start managing it.

Import a CA-signed SSL certificate to BIG-IQ for your managed devices

After you submit a CSR from BIG-IQ Centralized Management, your CA sends you a CA-signed SSL certificate.
You import the signed CA-signed certificate and key pair to BIG-IQ so you can centrally manage the certificate from BIG-IQ. This saves you time because you don't have to log on to individual BIG-IP devices to monitor or deploy certificates.
  1. At the top of the screen, click Configuration.
  2. On the left, click LOCAL TRAFFIC > Certificate Management > Certificates & Keys.
  3. Near the top of the screen, click the Import button.
  4. From the Import Type list, select Certificate.
  5. Select Create New.
  6. For the Certificate Source setting:
    • To upload the certificate's file, select Upload File and click the Choose File button to navigate to the certificate file.
    • To paste the content of the certificate file, select Paste Text and paste the certificate's content into the Certificate Source field.
  7. Click the Import button at the bottom of the screen.
You can now assign this SSL certificate and key pair to a Local Traffic Manager clientssl or serverssl profile. Before you deploy it to a BIG-IP device, you must add the clientssl or serverssl profile to that device's LTM pinning policy. For more information about pinning, refer to the topic titled Managing Object Pinning in F5 BIG-IQ Centralized Management: Security . For more information about deployments, refer to the topic titled Deploying Changes in F5 BIG-IQ Centralized Management: Device.

About SSL certificates, keys, and PKCS #12 SSL archive files created outside of BIG-IQ

There might be some cases where you've created an SSL certificate, key, or a PKCS #12 SSL archive file on a system other than BIG-IQ® Centralized Management. In those cases, you can easily import the certificates, keys, and files to BIG-IQ so you can centrally manage them for your BIG-IP® devices.

Import an SSL certificate so you can deploy it to a BIG-IP device

You can import an SSL certificate to BIG-IQ Centralized Management that you created on another system so you can manage it.
  1. On the left, click LOCAL TRAFFIC > Certificate Management > Certificates & Keys.
  2. Near the top of the screen, click the Import button.
  3. From the Import Type list, select Certificate.
  4. If the partition is anything other than Common, type it into the Partition field.
  5. For the Certificate Name setting, select Create New or Overwrite Existing.
  6. If you selected Overwrite Existing, select the certificate you want to overwrite.
  7. For the Certificate Source setting:
    • To upload the certificate's file, select Upload File and click the Choose File button to navigate to the certificate file.
    • To paste the content of the certificate file, select Paste Text and paste the certificate's content into the Certificate Source field.
  8. Click the Import button at the bottom of the screen.
The certificate displays in the Certificates & Keys list.
You can now import the key for this certificate.

Import a key for an SSL certificate so you can deploy it to a BIG-IP device

After you import a certificate to BIG-IQ Centralized Management, you can import its associated key pair.
Import a key pair for an SSL certificate you created on a different system so you can centrally manage the certificate from BIG-IQ. This saves you time because you don't have to log on to individual BIG-IP devices to monitor and deploy certificates.
  1. At the top of the screen, click Configuration.
  2. On the left, click LOCAL TRAFFIC > Certificate Management > Certificates & Keys.
  3. Near the top of the screen, click the Import button.
  4. From the Import Type list, select Key.
  5. If the partition is anything other than Common, type it into the Partition field.
  6. For the PKCS12 Name setting, select Create New or Overwrite Existing.
  7. If you selected Overwrite Existing, select the key you want to overwrite.
  8. For the PKCS12 Source setting, click the Choose File button to navigate to the file.
  9. If the file is encrypted, into the PKCS12 Password field, type the password for the file.
  10. If the key is encrypted, into the Key Password field, type the password for the key.
  11. Click the Import button at the bottom of the screen.
The PKCS12 file displays in the Certificates & Keys list.

Import a PKCS #12 SSL archive file so you can deploy it to a BIG-IP device

Import a PKCS #12 SSL archive file you created on another system to BIG-IQ Centralized Management to centrally manage it. This saves you time because you don't have to log on to individual BIG-IP devices to monitor or deploy it.
  1. At the top of the screen, click Configuration.
  2. On the left, click LOCAL TRAFFIC > Certificate Management > Certificates & Keys.
  3. Near the top of the screen, click the Import button.
  4. From the Import Type list, select PKCS#12.
  5. For the PKCS12 Name, select Create New or Overwrite Existing.
  6. If you selected Overwrite Existing, select the file you want to overwrite.
  7. For the PKCS12 Source setting, select Upload File and Choose File to navigate to the file.
  8. In the PKCS12 Password field, type the password.
  9. If the key is encrypted, from the Key Security Type list, select Password and type the password for the key in the Key Password field.
    Important: If you select Normal, BIG-IQ will store the key as unencrypted, which can put your data at risk.
  10. Click the Import button at the bottom of the screen.
The certificate displays in the Certificates & Keys list.
You can now assign this SSL certificate and key pair to a Local Traffic Manager clientssl or serverssl profile. Before you deploy it to a BIG-IP device, you must add the clientssl or serverssl profile to that device's LTM pinning policy. For more information about pinning, refer to the topic titled Managing Object Pinning in F5 BIG-IQ Centralized Management: Security . For more information about deployments, refer to the topic titled Deploying Changes in F5 BIG-IQ Centralized Management: Device.

How do I manage Certificate Revocation Lists from BIG-IQ?

A Certificate Revocation List (CRL) is crucial part of helping your BIG-IP devices securely pass internet traffic by ensuring sure your BIG-IP devices accept only traffic with valid and trustworthy certificates. From BIG-IQ Centralized Management, you can easily import and manage your BIG-IP devices CRLs conveniently from one location.

Import a Certificate Revocation List file

When you discover a BIG-IP device, BIG-IQ Centralized Management imports its meta-data for the PEM-formatted Certificate Revocation List (CRL).

Import a BIG-IP device's CRL file to BIG-IQ so you can manage it.

  1. At the top of the screen, click Configuration.
  2. Click the Import button.
  3. In the Partition field, type the partition where you want to store the CRL file.
  4. Click Choose File and navigate to the location of the file.
    Alternatively, you select Paste Text and paste the CRL file's contents into the Source field.
  5. Click the Save & Close button.
The CRL file displays as managed in the Certificate Revocation list.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information