How to: Manage certificates and keys for a BIG-IP Next instance using BIG-IP Next Central Manager

Summary

SSL certificates are used to secure the traffic between BIG-IP Next and your applications services. BIG-IP Next Central Manager stores these certificates in one central location, and allows you to monitor whether these certificates are active and where they are deployed.

From BIG-IP Next Central Manager, you can create, request, import, and manage self- or certificate authority-signed (CSA) SSL certificates, keys, and PKCS #12 archive files. Once you have imported or created a certificate and key pair, you can deploy it to your BIG-IP Next instances, and monitor its status.

Starting with the 20.3.0 version, it is now possible to create a Certificate Signing Request (CSR) to obtain SSL certificates. A CSR is a set of coded text that must be sent to a Certificate Authority (CA) to obtain an SSL certificate. This request is generated on the server where the certificate will be installed and includes information about the organization and the public key to be included in the certificate.

BIG-IP Next also provides a default certificate bundle, ca-bundle. The default CA bundle is automatically added to BIG-IP Next Central Manager. You can view this in the Certificates & Keys tab in the Applications menu and you can use it in various contexts within BIG-IP Next.

Prerequisites

To manage application services, you must have Administrator or Certificate Manager user credentials. Users with Application Manager and Auditor credentials have read-only access to all certificate information. For more information about user roles, see How to: Assign standard roles to users.

Create a new CA-signed certificate and key

Create a self-signed certificate and key pair that can be deployed to your managed BIG-IP Next instances.

To create a new self-signed certificate and key using Central Manager GUI:

  1. Log in to BIG-IP Next Central Manager, click the Workspace icon, and then click Applications.

  2. From the left menu click Certificates & Keys.

  3. At the top right of the screen, click + Add.

  4. Select Create a Certificate and add a Name.

  5. For Certificate Properties:

    1. Select a Tag to specify the type of traffic the certificate supports. You can select either Traffic(LTM), Access, or GSLB.

    2. Select the Type to specify the type of certificate. Select End Entity Certificate (CA Signed) from the dropdown.

    3. Select an Issuer, and then select Generate Certificate Signing Request.

    4. Enter a Common Name, the server name protected by the SSL certificate. This field is required to save the certificate.

    5. Add the additional details such as Division, Organization, Locality, State/Province, Country, E-mail Address, and Subject Alternative Names.

      Note: For the Subject Alternative Names (SAN) field, you can select one or more of the following (comma-delimited):

      • DNS: Specifies a fully-qualified domain name, e.g., DNS:www.example.com

      • IP: Specifies an IP address, e.g., IP:192.168.100.100

      • email: Specifies an email address, e.g., email:steve@example.com

      • URI: Specifies a URI, e.g., URI:ldap://somehost.com/CN=foo,OU=bar

      • otherName: Specifies an OID and value, e.g., otherName:1.2.3.4;UTF8:some other identifier

      SAN field example: DNS:www.example.com, IP:192.168.100.100, email:steve@example.com

    6. Specify the certificate expiration in Certificate Lifespan (days).

  6. For Certificate Signing Request Attributes:

    1. Enter Administrator Email Address to specify the admin email address.

    2. Enter Challenge Password and Confirm Password.

  7. For Key Properties, specify Key Type, Key Size(Kb) and Key Security Type.

    Note: If your selected Key Security Type is password-protected, create and confirm a password that meets the criteria displayed on the screen.

  8. Click Save.

  9. The new CSR appears in the Certificates & Keys list. In Contents tab, the CSR will be labeled as Key & Certificate Signing Request.

  10. When you click on the new CSR, a drawer named Add Certificate & Keys will open.

  11. Click Download to download the CSR. Submit this CSR to the CA for signature.

  12. After receiving the signed CSR from the CA, you can either:

    • To import a CA-signed certificate, select Import. Click the Import button in the Certificate section, navigate to the location where the CA-signed certificate is stored, and select it.

    • To paste the CA-signed certificate content, select Paste, then copy and paste the content.

  13. Click Save.

  14. The new certificate appears in the Certificates & Keys list, and the Content tab will now be labeled as Certificate & Key.

Results

The new CA-signed certificate appears in the Certificates & Keys list.

Prerequisites

Authenticate with the BIG-IP Next Central Manager API. For details refer to Authenticate with the BIG-IP Next Central Manager

Procedure

To create a new CA-signed certificate and key using Central Manager API:

  1. Send a POST request to the /spaces/default/certificates/create endpoint.

    POST https://{{cm_mgmt_ip}}/api/v1/spaces/default/certificates/create

  2. For the request payload, use the following example, modifying the values as required.

    {
    "name": "test_csr",
    "issuer": "CA",
    "common_name": "test.com",
    "division": [
       "Test_Division"
    ],
    "organization": [
       "Organization_Name"
    ],
    "locality": [
       "Test_Locality"
    ],
    "state": [
       "Test_State"
    ],
    "country": [
       "US"
    ],
    "duration_in_days": 90,
    "administrator_email": "admin@test.com",
    "key_type": "RSA",
    "key_size": 2048
    }
    

    The CA-signed certificate is created, and a certificate ID is returned.

  3. Retrieve the CSR by sending the GET request to /v1/certificates/{id}. Use the id generated from the previous step.

    GET https://{{cm_mgmt_ip}}/api/v1/spaces/default/certificates/{id}

  4. Submit the CSR to the Certificate Authority (CA) for signing.

  5. After receiving the signed certificate, import it into the Central Manager by sending the POST request to /v1/certificates/import using the id generated in step 3.

    POST  https://{{cm_mgmt_ip}}/api/v1/spaces/default/certificates/import

    For the request payload, use the following example, modifying the values as required.

    {
     "id": "20e26ced-39fc-4ca0-8161-eb2bdf7e7928",
     "cert_text": "{{cert_pem}}"
    }
    

    For more information for importing the certificate, refer to Import a Certificate

Create a new self-signed certificate and key

To create a new self-signed certificate and key using Central Manager GUI:

  1. Log in to BIG-IP Next Central Manager, click the Workspace icon, and then click Applications.

  2. From the left menu click Certificates & Keys.

  3. At the top right of the screen, click + Add.

  4. Select Create a Certificate and add a Name.

  5. For Certificate Properties:

    1. Select a Tag to specify the type of traffic the certificate supports. You can select either Traffic(LTM), Access, or GSLB.

    2. Select the Type to specify the type of certificate. Select End Entity (Self Signed) from the dropdown.

    3. Select an Issuer, and then select Generate Certificate Signing Request.

    4. Enter a Common Name, the server name protected by the SSL certificate. This field is required to save the certificate.

    5. Add the additional details such as Division, Organization, Locality, State/Province, Country, E-mail Address, and Subject Alternative Names.

    6. Specify the certificate expiration in Certificate Lifespan (days).

  6. For Key Properties, specify Key Type, Key Size(Kb) and Key Security Type.

    Note: If your selected Key Security Type is password-protected, create and confirm a password that meets the criteria displayed on the screen.

  7. Click Save.

Results

The new self-signed certificate appears in the Certificates & Keys list.

Prerequisites

Authenticate with the BIG-IP Next Central Manager API. For details refer to Authenticate with the BIG-IP Next Central Manager

Procedure

To create a self-signed certificate using Central Manager API:

  1. Send a POST request to the /spaces/default/certificates/create endpoint.

    POST https://{{cm_mgmt_ip}}/api/v1/spaces/default/certificates/create

  2. For the request payload, use the following example, modifying the values as required.

    {
    "name": "test_self_signed_cert",
    "issuer": "Self",
    "common_name": "test.com",
    "division": [
       "Test_Division"
    ],
    "organization": [
       "Organization_Name"
    ],
    "locality": [
       "Test_Locality"
    ],
    "state": [
       "Test_State"
    ],
    "country": [
       "US"
    ],
    "duration_in_days": 90,
    "administrator_email": "admin@test.com",
    "key_type": "RSA",
    "key_size": 2048
    }
    

Results

The Self signed certificate is created, and a certificate ID is returned.

Import a Certificate

To import a using Central Manager GUI:

  1. Log in to BIG-IP Next Central Manager, click the Workspace icon, and then click Applications.

  2. From the left menu click Certificates & Keys.

  3. At the top right of the screen, click + Add.

  4. Select Import a Certificate.

  5. In the Name field, select Create New and enter the certificate name.

  6. Select the Tag. Available options are Traffic, Access, GSLB, and Forward Proxy.

  7. To import a Certificate & Key:

    1. In the Type field, select Certificate & Key.

    2. From the Source field, select one of the import options:

    Note: You can import a certificate or key, you are not required to import both.

    1. If you want to import your certificate and key, select Import.

      1. From the Certificate field, click the Import button, navigate to the location where the certificate is stored, and select it.

      2. From the Key field, click the Import button, navigate to the location in which the key is stored, and select it.

    2. To paste the certificate content of your certificate and key, select Paste, and then copy and paste the certificate and key contents into the designated fields.

  8. To import a PKCS #12 certificate:

    1. In the Type field, select PKCS12.

    2. Click the Import button, navigate to the location in which the certificate is stored, and select it.

    3. Enter the Certificate Password.

    4. From the Key Security Type field, select whether you would like the key to be password-encrypted.

    Note: F5 recommends you select the password-encrypted option. PKCS #12 certificate and key bundles are password encrypted before importing them to BIG-IP Next Central Manager, but that password is not retained after importing.

  9. To import a Certificate Bundle:

    1. In the Type field, select Certificate Bundle.

    2. From the Source field, select one of the import options.

      1. To import a certificate bundle, select Import. Click the Import button in the Certificate Bundle section; navigate to the location where the certificate bundle is stored, and select it.

      2. To paste the certificate content of a certificate bundle, select Paste, and then copy and paste the certificate bundle content.

Notes:

  • Only certificates that are of X509 PEM format are supported.

  • Any data other than the certificate block is rejected or skipped during upload. Information such as metadata, private keys, and CRLs are ignored.

Prerequisites

Authenticate with the BIG-IP Next Central Manager API. For details refer to Authenticate with the BIG-IP Next Central Manager

Procedure

To import an existing certificate using Central Manager API:

  1. Send a POST request to the spaces/default/certificates/import endpoint.

    POST https://{{cm_mgmt_ip}}/api/v1/spaces/default/certificates/import

  2. For the request payload, use the following example, modifying the values as required.

    {
       "name" : "test_import_cert",
       "cert_text": "{{cert_pem}}",
       "key_text": "{{key_pem}}",
       "key_passphrase": "Test@12345"
    }
    

Results: The certificate is imported and an id is generated. This id should be added in the PUT request if you want to update the existing certificate.

To import a certificate bundle using Central Manager API:

  1. Send a POST request to the spaces/default/certificates/import-bundle endpoint.

Post https://{{cm_mgmt_ip}}/api/v1/spaces/default/certificates/import-bundle

  1. For the request payload, use the following example, modifying the values as required.
    Sample form data:

  | Key          | Value        |
  |--------------|--------------|
  | fileContent  | bundle.crt   |
  | name         | certbundle   |
  | source       | Traffic      |

Results: The certificate bundle is imported and an id is generated. This id should be added in the PUT request if you want to update the existing certificate bundle.

For more information on certificate APIs, refer to Open API Documentation

Renew a certificate

To renew an existing certificate using Central Manager GUI:

  1. Log in to BIG-IP Next Central Manager as admin, click the Workspace icon, and then click Applications.

  2. From the left menu click Certificates & Keys.

  3. Click the name of the certificate.

    When you click on a certificate, its properties are read-only.

  4. From the Expiration field click Renew.

    You can now edit the certificate and key properties.

  5. Click Renew.

    Note: After generating a certificate from a CSR, clicking on the Renew button will generate a new CSR. This will require repeating the same steps to create a CA-signed certificate and key.

If the renewal was successful, the certificate status now appears as Active, and the expiration warning banner no longer displays. If the renewal was not successful, an error displays. In an error occurrs, check to see that your certificate and key properties are valid.

To renew an existing certificate using Central Manager API:

Prerequisites

Authenticate with the BIG-IP Next Central Manager API. For details refer to Authenticate with the BIG-IP Next Central Manager

Procedure

  1. Send a GET request to the spaces/default/certificates endpoint. Identify the ID of the certificate that you want to renew.

  2. Send a POST request to the /spaces/default/certificates/renew endpoint POST https://{{cm_mgmt_ip}}/api/v1/spaces/default/certificates/renew

  3. For the request payload, use the following example for Self-Signed Certificate, modifying the values as required.

    For id, add the id of the certificate that you want to renew.

    {
    "id": "733eedf9-5917-4400-80ff-0a291f36b96a",
    "issuer": "Self",
    "common_name": "test.com",
    "division": [
       "Test_Division"
    ],
    "organization": [
       "Organization_Name"
    ],
    "locality": [
       "Test_Locality"
    ],
    "state": [
       "Test_State"
    ],
    "country": [
       "US"
    ],
    "duration_in_days": 90,
    "administrator_email": "admin@test.com",
    "key_type": "RSA",
    "key_size": 2048
    } 
    
  4. For the request payload, use the following example for Certificate Signing Request, modifying the values as required.

    For id, add the id of the certificate that you want to renew.

       {
    "id": "733eedf9-5917-4400-80ff-0a291f36b96a",
    "issuer": "CA",
    "common_name": "test.com",
    "division": [
       "Test_Division"
    ],
    "organization": [
       "Organization_Name"
    ],
    "locality": [
       "Test_Locality"
    ],
    "state": [
       "Test_State"
    ],
    "country": [
       "US"
    ],
    "duration_in_days": 90,
    "administrator_email": "admin@test.com",
    "key_type": "RSA",
    "key_size": 2048
    }
    

Results

The certificate is renewed.

Overwrite an existing certificate

Import a certificate to overwrite an existing certificate.

BIG-IP Next Central Manager provides alerts for certificate expiration. For more information about managing these alerts, see Manage alert notifications.

To overwrite a certificate using Central Manager GUI:

  1. Log in to BIG-IP Next Central Manager as admin, click the Workspace icon, and then click Applications.

  2. From the left menu click Certificates & Keys.

  3. At the top right of the screen, click + Add.

  4. Select Import a Certificate.

  5. In the Name field select Overwrite Existing and select the certificate you would like to replace.

  6. In the Type field select the type of certificate to import.

  7. From the Source field select one of the import options:

    1. If you want to import your certificate and key select Import.

      1. From the Certificate field click the Import button, navigate to the location the certificate is stored, and select it.

      2. From the Key field click the Import button, navigate to the location the key is stored, and select it.

    2. To import your certificate and key select Paste, and then copy and paste the certificate and key contents into the designated fields.

  8. Click Save to replace the selected certificate.

Prerequisites

Authenticate with the BIG-IP Next Central Manager API. For details refer to Authenticate with the BIG-IP Next Central Manager

Procedure

To overwrite an existing certificate using Central Manager API:

  1. Send a POST request to the spaces/default/certificates/import endpoint.

    POST https://{{cm_mgmt_ip}}/api/v1/spaces/default/certificates/import

  2. For the request payload, use the following example, modifying the values as required.

    {
     "id": "733eedf9-5917-4400-80ff-0a291f36b96a",
     "cert_text": "{{cert_pem}}",
     "key_text": "{{key_pem}}",
     "key_passphrase": "Tester@16788"
    }
    

Results

The selected certificate is overwritten with the new certificate.

Delete a certificate

Remove certificate and key pairs from the BIG-IP Next Central Manager. Before you remove certificates and key pairs from BIG-IP Next Central Manager, verify that they are not in use. You can do so by viewing the status on the Certificates & Keys screen. Certificates with an Active or Warning status might be in use.

To delete a certificate using Central Manager GUI:

You can remove one or multiple certificate and key pairs.

  1. Log in to BIG-IP Next Central Manager as admin, click the Workspace icon, and then click Applications.

  2. From the left menu click Certificates & Keys.

  3. Select the checkbox next to the certificates and keys you want to delete from BIG-IP Next Central Manager.

  4. At the top right of the screen, click Remove.

  5. Click Remove to confirm the action to remove selected the certificate(s) and key(s).

Results

The certificate is deleted.

Prerequisites

Authenticate with the BIG-IP Next Central Manager API. For details refer to Authenticate with the BIG-IP Next Central Manager

Procedure

To delete a certificate using Central Manager API:

  1. Send a GET request to the spaces/default/certificates endpoint. Identify the ID of the certificate that you want to delete.

  2. Send a DELETE request to the /spaces/default/certificates/<certificate id> endpoint.

    DELETE https://{{cm_mgmt_ip}}/api/v1/spaces/default/certificates/<certificate intended>

Results

The certificate is deleted.

Delete Multiple Certificates

Prerequisites

Authenticate with the BIG-IP Next Central Manager API. For details refer to Authenticate with the BIG-IP Next Central Manager

Procedure

To delete multiple certificates using Central Manager API:

  1. Send a GET request to spaces/default/certificates. Identify the IDs of the certificates that you want to delete.

  2. Send DELETE request to the /spaces/default/certificates endpoint.

    DELETE https://{{cm_mgmt_ip}}/api/v1/spaces/default/certificates

  3. For the request payload, use the following example, modifying the values as required.

    {
       "certificates": [
          "733eedf9-5917-4400-80ff-0a291f36b96a",
          "733eedf9-5914-4404-80ff-0a291f36b96a"
       ]
    }
    

Results

The certificates are deleted.

Deploy a certificate to a BIG-IP Next instance

To deploy a certificate to a BIG-IP Next instance, you deploy an application (that includes a certificate) to the instance. To include a certificate in your deployment, you use a template that includes a certificate parameter. When this parameter is used in a template, BIG-IP Next Central Manager prompts you for which template you want to use. The example template titled http contains the FAST template code that includes this parameter.

Certificate Status

Status indicates certificate expiration, and whether you need to renew or remove a certificate.

  • Expired (Critical) - Certificate is expired and no longer active. Renew or delete the inactive certificate.

  • Warning - Certificate is within 30 days of expiration and needs renewal or replacement.

  • Active - Certificate is active and has not yet reached the specified expiration warning period.

  • Error - The initial certification, or renewal, failed due to a mismatch in the fingerprint of the certificate and key pair.