Forum Discussion

El_Bendecido_12's avatar
El_Bendecido_12
Icon for Altostratus rankAltostratus
Dec 04, 2015

How can I change certificate for managment interface for GUI?

Hi,

 

In this moment we have some F5 with diferents modules and all connect with a EM. We have a CA on our company, for this there is a requirement for change the manag interface certificate or make valid the certificate current. Could you help me with a procedure for resolve the alert invalid the certificate?

 

2 Replies

  • eneR's avatar
    eneR
    Icon for Cirrostratus rankCirrostratus

    Hi,

     

    in the F5 GUI go to Main --> System --> Device Certificates and import/replace the existing certificate with your one of you company.

     

  • Hi,

    the default cert has a common name of localhost.localdomain and as eneR already pointed out it is best practice to replace it by a cert issued for the device specific hostname.

    The cert can be self signed or signed by a certificate authority.

    If you let it sign by a CA make sure they leave the certificate purpose as it is (both client and server cert).

    In case you have (an) intermediate CA(s) involved and your clients trust the root only it would be required to import the intermediate CA or chain as well. This has to be done on CLI after copying your chain to /config/httpd/conf/ssl.crt/intermediate_ca.crt:
    chmod 0644 /config/httpd/conf/ssl.crt/intermediate_ca.crt
    tmsh modify / sys httpd ssl-certchainfile /etc/httpd/conf/ssl.crt/intermediate_ca.crt
    bigstart restart httpd
    

    Certs are generally stored in PEM format. Be very careful if you plan to deploy GTM or LinkController. The syncgroup trust is based on the device certs and the purpose attributes (client/server) and chain of trust are mandatory.

    Thanks, Stephan