How to: Manage certificates and keys for a BIG-IP Next instance using BIG-IP Next Central Manager¶

Summary¶

SSL certificates are used to secure the traffic between BIG-IP Next and your applications services. BIG-IP Next Central Manager stores these certificates in one central location, and allows you to monitor whether these certificates are active and where they are deployed.

From BIG-IP Next Central Manager, you can create, request, import, and manage self- or certificate authority-signed (CSA) SSL certificates, keys, and PKCS #12 archive files. Once you have imported or created a certificate and key pair, you can deploy it to your BIG-IP Next instances, and monitor its status.

Prerequisites¶

To manage application services, you must have Administrator or Certificate Manager user credentials. Users with Application Manager and Auditor credentials have read-only access to all certificate information. For more information about user roles, see How to: Assign standard roles to users.

Procedures¶

Add a certificate
Replace or renew certificate
Delete a certificate
Deploy a certificate to a BIG-IP Next instance

Add a certificate¶

Create an SSL certificate and key pair that can be deployed to your managed BIG-IP Next instances.

Create a new certificate and key¶

Log in to BIG-IP Next Central Manager, click the Workspace icon, and then click Applications.
From the left menu click Certificates & Keys.
At the top right of the screen, click + Add.
Select Create a Self-signed Certificate and add a Name.
For Certificate Properties:
1. Select an Issuer, and then select whether the certificate is self-signed or uses a certificate authority (CSA).
2. Enter a Common Name, the server name protected by the SSL certificate. This field is required to save the certificate.
3. Specify the certificate expiration in Duration(Days).
4. Add additional details to your certificate properties, such as Organization or Country.
For Key Properties, specify Key Type, Key Size(Kb) and Key Security Type.

If your selected Key Security Type is password-protected, create and confirm a password that meets the criteria displayed on the screen.
Click Save. The new certificate appears in the Certificates & Keys list.

Create a new certificate, key and CSR (API)¶

Create a new certificate using a POST request.

POST https://{{bigip_next_cm_mgmt_ip}}/api/v1/spaces/default/certificates/create

The following parameters are required. For more information about all the configuration parameters, see Certificate and key pair properties Need to add reference to all fields

issuer - issuer details, either Self or CA (certificate authority).
name - This is the unique name used to identify the certificate.
key_type - Either RSA or ECDSA.
- For RSA you must specify the supported key_size: 2048, 3072, 4096, or 8192.
- For ECDSA you must specify the supported key_curve_name: prime256v1, secp384r1, or secp521r1.
key_passphrase - If your key is password encrypted, create a password that meets the minimum criteria:
- 8 characters
- 1 digit
- 1 upper case letter
- 1 special character

Import a certificate¶

Log in to BIG-IP Next Central Manager, click the Workspace icon, and then click Applications.
From the left menu click Certificates & Keys.
At the top right of the screen, click + Add.
Select Import a Certificate.
In the Name field, select Create New and enter the certificate name.
In the Type field, select Certificate & Key.

See Import a PKCS #12 certificate (UI) for more information.

From the Source field, select one of the import options:

Note: You can import a certificate or key, you are not required to import both.
1. If you want to import your certificate and key, select Import.
  1. From the Certificate field, click the Import button , navigate to the location the certificate is stored, and select it.
  2. From the Key field, click the Import button, navigate to the location in which the key is stored, and select it.
2. To import your certificate and key select Paste, and then copy and paste the certificate and key contents into the designated fields.
Click Save to add the imported certificate.

Import a PKCS #12 certificate (UI)¶

Log in to BIG-IP Next Central Manager, click the Workspace icon, and then click Applications.
From the left menu click Certificates & Keys.
At the top right of the screen, click + Add.
Select Import a Certificate.
In the Name field select Create New and enter the certificate name.
In the Type field select PKCS12.
Click the Import button, navigate to the location in which the certificate is stored, and select it.
Enter the Certificate Password.
From the Key Security Type field, select whether you would like the key to be password-encrypted.

F5 recommends you select the password-encrypted option. PKCS #12 certificate and key bundles are password encrypted before importing them to BIG-IP Next Central Manager, but that password is not retained after importing.
Click Save to add the imported certificate.

Import a certificate (API)¶

Import either a certificate and key pair, a certificate (without a key) or a PKCS#12 certificate using a POST request. See example requests for the type of certificate to import.

POST https://{{bigip_next_cm_mgmt_ip}}/api/v1/spaces/default/certificates/import

Note: You can import a certificate or a key, you are not required to import both.

Example request body:

{

"import_type": "PEM",

"name": "namexyz",

"cert_text": "base64 encoded certificate",

"key_text": "base64 encoded key",

"key_passphrase": "key passphrase"

}

PKCS #12 certificate and key bundles are password encrypted (cert_passphrase) before importing them to BIG-IP Next Central Manager, but that password is not retained after importing. F5 recommends to password-encrypt the key. To do so, enter a password in key_passphrase.
If you do not want password encryption on the key, remove the field key_passphrase from the import request. –>

Replace or renew certificate¶

Manage pending or past-expired certificates. This will ensure that your certificates are active. You can either renew an existing certificate, or replace a certificate with new properties.

BIG-IP Next Central Manager provides alerts for certificate expiration. For more information about managing these alerts, see Manage alert notifications.

Renew a certificate (UI)¶

Log in to BIG-IP Next Central Manager as admin, click the Workspace icon, and then click Applications.
From the left menu click Certificates & Keys.
Click the name of the certificate.

When you click on a certificate, its properties are read-only.
From the Expiration field click Renew.

You can now edit the certificate and key properties.
Click Renew.

If the renewal was successful, the certificate status now appears as Active, and the expiration warning banner no longer displays. If the renewal was not successful, an error displays. In an error occurrs, check to see that your certificate and key properties are valid.

Renew a certificate (API)¶

You will need the certificate id(s) to renew the certificates. To request a list of certificates and their details: GET https://{{bigip_next_cm_mgmt_ip}}/api/v1/spaces/default/certificates

Renew your certificates based on the id.

POST https://{{bigip_next_cm_mgmt_ip}}/api/v1/spaces/default/certificates/renew

Replace a certificate (UI)¶

Import a certificate to overwrite an existing certificate.

BIG-IP Next Central Manager provides alerts for certificate expiration. For more information about managing these alerts, see Manage alert notifications.

Log in to BIG-IP Next Central Manager as admin, click the Workspace icon, and then click Applications.
From the left menu click Certificates & Keys.
At the top right of the screen, click + Add.
Select Import a Certificate.
In the Name field select Overwrite Existing and select the certificate you would like to replace.
In the Type field select the type of certificate to import.
From the Source field select one of the import options:
1. If you want to import your certificate and key select Import.
  1. From the Certificate field click the Import button, navigate to the location the certificate is stored, and select it.
  2. From the Key field click the Import button, navigate to the location the key is stored, and select it.
2. To import your certificate and key select Paste, and then copy and paste the certificate and key contents into the designated fields.
Click Save to replace the selected certificate.

The selected certificate is overwritten with the new certificate.

Delete a certificate¶

Remove certificate and key pairs from the BIG-IP Next Central Manager. Before you remove certificates and key pairs from BIG-IP Next Central Manager, verify that they are not in use. You can do so by viewing the status on the Certificates & Keys screen. Certificates with an Active or Warning status might be in use.

Delete a certificate (UI)¶

You can remove one or multiple certificate and key pairs.

Log in to BIG-IP Next Central Manager as admin, click the Workspace icon, and then click Applications.
From the left menu click Certificates & Keys.
Select the checkbox next to the certificates and keys you want to delete from BIG-IP Next Central Manager.
At the top right of the screen, click Remove.
Click Remove to confirm the action to remove selected the certificate(s) and key(s).

Delete a certificate (API)¶

Delete a certificate based on the id.

DELETE https://{{bigip_next_cm_mgmt_ip}}/api/v1/spaces/default/certificates/{id}

To delete multiple certificates, you must add a list of certificate ids in the body of the DELETE request. DELETE https://{{bigip_next_cm_mgmt_ip}}/api/v1/spaces/default/certificates

Example request body for multiple certificate delete

{

"certificates": [

"cert-id",

"cert-id2"

]

}

Result: A successful response returns a list of removed certificates.

Deploy a certificate to a BIG-IP Next instance¶

To deploy a certificate to a BIG-IP Next instance, you deploy an application (that includes a certificate) to the instance. To include a certificate in your deployment, you use a template that includes a certificate parameter. When this parameter is used in a template, BIG-IP Next Central Manager prompts you for which template you want to use. The example template titled http contains the FAST template code that includes this parameter.

Reference¶

Certificate Status¶

Status indicates certificate expiration, and whether you need to renew or remove a certificate.

Expired (Critical) - Certificate is expired and no longer active. Renew or delete the inactive certificate.
Warning - Certificate is within 30 days of expiration and needs renewal or replacement.
Active - Certificate is active and has not yet reached the specified expiration warning period.
Error - The initial certification, or renewal, failed due to a mismatch in the fingerprint of the certificate and key pair.

Previous Next