Manage SSL Objects from BIG-IQ

Users of the BIG-IQ API can manage SSL Objects from the BIG-IQ by using the SSL Object Management API. This documentation discusses the following three cases where using this API to manage SSL Objects may enable you to secure your applications more easily.

  • Make an existing SSL object (unmanaged) into a managed object so you can deploy from BIG-IQ.
  • Upload an existing SSL Object with a file
  • Create a new SSL object on the BIG-IQ.

Please see the SSL Object Management API documentation for descriptions, and some examples, of all the parameters enabling the use of this API with key, certificate, certificate signing request (CSR), and certificate revocation list (CRL) objects. For example, you can use the BIG-IQ API to get a list of all the management tasks for SSL objects, create a new certificate and key, replace an existing certificate and key, add a key or certificate or CSR from a saved file, or create a certificate signing request (CSR) or certificate revocation list (CRL). The following documentation focuses on certificate objects, but the steps to manage other types of SSL objects should be similar.

Make an unmanaged key and certificate managed

BIG-IQ is unable to deploy an unmanaged certificate or key object. Both a managed key and managed certificate are required to deploy the key or certificate from BIG-IQ. To bring an unmanaged object under BIG-IQ management, associate the unmanaged object and data file using the SSL Object Management API. BIG-IQ verifies the file, adds a file object, and completes the key or certificate by using a reference to the file object. This can enable the certificate to be deployed by the BIG-IQ.

First make the unmanaged key managed.

Prerequisites

  • You will need to provide the keyReference for the unmanaged key object you want to make managed.
  • The key’s data file has been uploaded to /var/config/rest/downloads/ on the BIG-IQ.

Actions

  • Send a POST request to the mgmt/cm/adc-core/tasks/certificate-management with the value of command equal to “ASSOCIATE_KEY” in the body of the request.
  • Note the value of the task’s id in the response to the POST.
  • Send GET requests to confirm that the status of the task has updated to “FINISHED”.

Result

  • BIG-IQ verifies the file, adds a file object, and completes the key object by using a reference to the file object.
  • This makes the key object managed.

Second make the unmanaged certificate managed.

Prerequisites

  • You will need to provide the certReference for the unmanaged certificate object you want to make managed.
  • The certificate’s data file has been uploaded to /var/config/rest/downloads/ on the BIG-IQ.

Actions

  • Send a POST request to the mgmt/cm/adc-core/tasks/certificate-management with the value of command equal to “ASSOCIATE_CERT” in the body of the request.
  • Note the value of the task’s id in the response to the POST.
  • Send GET requests to confirm that the status of the task has updated to “FINISHED”.

Result

  • BIG-IQ verifies the file, adds a file object, and completes the certificate object by using a reference to the file object.
  • This makes the certificate object managed and enables it to be deployed by BIG-IQ.

Refresh an existing certificate with a file

To refresh an existing certificate before it expires, you can first generate a certificate signing request (CSR) to provide to your certificate authority (CA). You can upload the certificate data file received back from your CA to an existing certificate object. Generate the CSR and refresh the existig certificate by using the SSL Object Management API.

First, generate a CSR and send it to your CA.

Prerequisites

  • You will need to know the certificate authority (CA).
  • You will need to know the key property parameters or the keyReference.

Actions

  • Send a POST request to the mgmt/cm/adc-core/tasks/certificate-management with the value of command equal to “GENERATE_CSR” in the body of the request.
  • Note the value of the task’s id in the response to the POST
  • Send GET requests to confirm that the status of the task has updated to “FINISHED”.

Result

  • After the task has finished the response contains csrReference for the generated CSR.
  • Send the CSR to your CA and receive back a certificate data file.

Second, refresh your existing certificate object on the BIG-IQ before it expires by replacing it using the file received from the CA.

Prerequisites

  • You will need to provide the certReference for the existing certificate object you want to replace.
  • The certificate’s file uploaded to /var/config/rest/downloads/ on the BIG-IQ.

Actions

  • Send a POST request to the mgmt/cm/adc-core/tasks/certificate-management with the value of command equal to “REPLACE_CERT” in the body of the request.
  • Note the value of the task’s id in the response to the POST
  • Send GET requests to confirm that the status of the task has updated to “FINISHED”.

Result

  • BIG-IQ adds a file object
  • This replaces the existing certificate object

Create a new self-signed certificate

You can create a new self-signed certificate by using the SSL Object Management API. You provide the certificate’s naming and property parameters. If you also specify the key property parameters, a new key is generated and used to generate the new certificate. A file is created and stored in object storage and a new object is created referencing the file.

Prerequisites

  • You will need to provide the certificate’s naming and property parameters.
  • You will either need to provide the key property parameters or a keyReference of an existing key object.

Actions

  • Send a POST request to the mgmt/cm/adc-core/tasks/certificate-management with the value of command equal to “GENERATE_CERT” in the body of the request.
  • Note the value of the task’s id in the response to the POST
  • Send GET requests to confirm that the status of the task has updated to “FINISHED”.

Result

  • The response to the GET can include a certReference object for a new certificate.
  • The response to the GET can include a keyReference object for a new key.