Forum Discussion

RAQS's avatar
RAQS
Icon for Cirrus rankCirrus
Feb 11, 2020

LTM - Device Certificate Renewal

Hi All,

 

Hope you all are doing great!

 

I have 8 LTMs , four are using one certificate and another four is using another certificate (with SAN name in place). so we have 8 box including secondary device( HA setup )

 

Now device certificate is going to expire. This is internal CA signed certificate. So, can you please help me to know below :-

 

1) How should i get the new certificate to renew this certificate.

 

2) Steps to renew cert. Note :- This is not self signed certificate.

 

3) Impact of not renewing certificate,

 

Regards,

ShekharS

4 Replies

  • > 1) How should i get the new certificate to renew this certificate.

     

    You need to generate a CSR and request the new certificate from the internal Certificate Authority.

    Just to be clear, every BigIP need to have a unique Device Certificate.

     

    2) Steps to renew cert. Note :- This is not self signed certificate.

     

    Obtaining the new certificate will depend on the internal Certificate Authority process.

    Installing the new Device Certificate and updating the peer devices with the new certificate is detailed in

    K7717: BIG-IP DNS and Link Controller support for third-party SSL certificates

     

    3) Impact of not renewing certificate,

     

    K15664: Overview of BIG-IP device certificates (11.x - 15.x)

    -----

    The BIG-IP system uses SSL certificates to secure connections when using the Configuration utility to perform administrative tasks and to secure inter-device communication between BIG-IP systems such as BIG-IP LTM device groups and BIG-IP DNS synchronization groups. For successful authentication and secure communication, you should be aware of the following factors:

    • Device certificates must be valid and must not be expired.
    • Device certificates must be maintained and renewed on each BIG-IP system.
    • Redundant BIG-IP systems must exchange renewed certificates.
    • SSL certificates signed by a third-party CA must include both the client authentication (clientAuth) and server authentication (serverAuth) extended key usage (EKU) extensions to allow use by both server and client applications. For more information, refer to K7717: BIG-IP DNS and Link Controller support for third-party SSL certificates.

    BIG-IP systems use device certificates for a variety of tasks. The following sections list F5 device certificate types and their locations.

    -----

     

  • Hi Blakely,

     

    Thanks for replying. We do not have GTM in picture. Just LTMs HA setup. so in order to generate CSR , i can do it from F5 right ?

     

    From below path :-

    System ›› Certificate Management : Device Certificate Management : Device Certificate Signing Request and then click on CREATE. and fill the respective tab.

     

    Regards.

    ShekharS

      • Ash_Lewis's avatar
        Ash_Lewis
        Icon for Nimbostratus rankNimbostratus

        Just a quick one. Is there any difference between the following:

         

        System ›› Certificate Management : Device Certificate Management : Device Certificate Signing Request and then click on CREATE. and fill the respective tab.

         

        or

         

        System ›› Certificate Management : Device Certificate Management : Device Certificate and then click Renew. and fill out the respective tab.

         

        If you are changing all the details in the CSR.

         

        Thanks,

        Ash