F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. Enterprise Manager
  4. Enterprise Manager: Monitoring Network Health and Activity
  5. Managing Traffic and System Certificates
Manual Chapter : Managing Traffic and System Certificates

Applies To:

Show Versions Show Versions

Enterprise Manager

  • 3.1.1
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

Overview: Certificate monitoring

When you use BIG-IP Local Traffic Manager to manage your SSL traffic, you must track both traffic and system certificates for the devices in your network. Traffic certificates are server certificates that a device uses for traffic management tasks. System certificates are the web certificates that allow client systems to log into the BIG-IP Configuration utility.

To assist you in overseeing these certificates, Enterprise Manager provides a summary of vital certificate information for each managed device in your network. The information that displays on the certificate list screen provides a summary of:

  • Certificate expiration status
  • Certificate and organization name
  • Device on which the certificate is configured

When you monitor a device list, you automatically monitor all of the certificates on all of the devices that are members of that device list. By default, certificate monitoring is enabled for all managed devices.

Tip: If you require additional notification about certificate expiration details, you can create a certificate expiration alert.

Viewing certificates for a managed device

Use this procedure to view the device certificate screen.
  1. On the Main tab, click Enterprise Management > Devices > Device List.
  2. Click the name of the device for which you want to view certificate details. The Device Properties screen for that device opens.
  3. On the Menu bar, from the Configurations menu, select Monitored Certificates. The Monitored Certificates screen for the selected certificate opens.
  4. To view additional details about a particular certificate, click the name of the certificate.

Certificate expiration status flag definitions

The certificate list screen also displays a status flag for each certificate, to provide a quick visual indicator of the status for your certificates.

Color of status flag Expiration status Suggested action
Red This certificate has expired. When client systems require this certificate for authentication, the client receives an expired certificate warning. You must renew this certificate for proper authentication with clients.
Yellow This certificate will expire in 30 days or less. Although this certificate is valid, you should take action to prevent certificate expiration.
Green This certificate is valid and will remain valid for 30 days. No action is required.

Creating a certificate expiration alert for a device

Before you can create a certificate expiration alert, you must have certificate monitoring is enabled.
You can create an alert to log or send an email notification of an upcoming certificate expiration.
  1. On the Main tab, click Enterprise Management > Alerts > Device Alert List.
  2. Click the Create button. The New Alert screen opens.
  3. In the Name field, type a name for the alert. Once you create the alert, you cannot change the name.
  4. From the Alert Type list, select Certificate Expiration.
  5. For the Condition setting, select the check box next to the number of days before the certificate expires that you want to be notified. Or, type a customized value in the Days field. Select as many options as you like to be notified multiple times about an upcoming certificate expiration.
  6. For the Action setting, select the check box next to each action that you want Enterprise Manager to take when the alert is triggered. If you select the option, Send SNMP trap to remote server, you must have SNMP configured.
  7. If you want to change the email recipient for this alert, clear the Use default email recipient check box and in the Email Recipient field, type an email address. The default email recipient is specified in the Options screen for alerts.
  8. If you want to change the syslog server address for this alert, clear the Use default syslog server address check box, and in the Syslog Server Address field, type a syslog server address. The default syslog server address is specified in the Options screen for alerts.
  9. For the Devices or Devices Lists setting, in the Available box, select one or more devices from the devices or device list and click the Move button to move the selected devices or device list to Assigned.
  10. Click Finished.
Enterprise Manager informs in you in advance (according to the number of days you specified) of any upcoming certificate expiration.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information