BIG-IQ "Status of HA Certificate on this device has changed from EXPIRING SOON to EXPIRED"

Question

BIG-IQ CM has generated an alert as below.

"Status of HA Certificate on this device has changed from EXPIRING SOON to EXPIRED"

This BIG-IQ is standalone. There's no HA for this.

There is no impact due to this certificate. Management is accessible fine.

We are unable to find this cert on the BIG-IQ GUI.

We would like to get rid of this alert by possibly renewing this cert.

Refering to the article below, it only states the steps to renew HA certs but does not apply to our scenario.

BIG-IQ error message: ''Status of HA Certificate on this device has changed from EXPIRING SOON to EXPIRED'' or ''VALID to EXPIRING SOON'' (f5.com)

Following is the CLI output:

# openssl x509 -in /var/lib/pgsql/config/server.crt -text -noout

Certificate:
Data:
Version: 3 (0x2)
Serial Number:

Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=x.x.x.x, O=F5 BIG-IQ System
Validity
Not Before: Dec 2 08:56:23 2021 GMT
Not After : Dec 2 08:56:23 2023 GMT
Subject: CN=x.x.x.x, O=F5 BIG-IQ System
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:

Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:

X509v3 Authority Key Identifier:

X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption

whisperer · Answer

This sounds like a device certificate. Take a look here, as you may need to use the CLI to accomplish this:

https://techdocs.f5.com/en-us/bigiq-8-0-0/big-iq-web-application-security/configure-connection-device-secure-communications.html

Generally, you would not remove a device certificate, but instead update it. Classically, in BIG-IP, old software came with a low key bitsize or short expiration window certificate. It also was generic. Even if you dont plan on using an internal CA or removing cert warnings, still best practive to replace with a large key size certificate, an expiration taking into account how long you plan to keep the product before disposal or replacement, and use a common name equivalent to the shortname of the FQDN give to the device (so if the company gets sold, or is renamed, you just need to rename the host to the new domain and can keep the old device name without regenerating a new cert).

Hope this helps, and this is indeed a device certificate.

f5team · Answer

Thanks.I'm not sure this is a device certificate of BIG-IQ.While this is the actual alert we have from Big-IQWhen we verify the cert from browser accesing the BIG-IQ GUI, we see this&nbsp;

Forum Discussion

BIG-IQ "Status of HA Certificate on this device has changed from EXPIRING SOON to EXPIRED"

2 Replies

Recent Discussions

Reliable resources for identifying IP addresses

Maximum throughput of f5 ltm

Issue on license renewal

iRule cookie persistence and pool redirect

redirect not working

Related Content

Automating ACMEv2 Certificate Management on BIG-IP

Re: Management Certificate

Automate Let's Encrypt Certificates on BIG-IP

My Security+ Certification Journey

Certifications for security professionals