Auto renewal of device certificate

Question

Hello everyone, &nbsp;
We have a customer who has two f5 machines in HA pair. And for them we have device trust based on default device certificates. After this trust was established we import new certificate, generated from our customer's CA, and they expired after two years. &nbsp;
We want to automate the process of renewal of certificates after their expiration.
After research we see only how to accomplish this manually.&nbsp;
Do you have any ideas?&nbsp;
Thanks in advance.&nbsp;
Regards,&nbsp;
Preslav&nbsp;

preslav_ilevski · Answer

Hi all,&nbsp;
I found the explanation. There's no option to renew device certificate automatically. And one correction - the device certificate is not used to establish trust relationship between HA units. In order to establish secure channel between HA peers we use /config/ssl/ssl.crt/dtdi.crt and /config/ssl/ssl.crt/dtca.crt certificates. &nbsp;
Device certificate (System -&gt; Device certificates -&gt; Device certificate) does not affect DSC (HA) synchronization. It does, however, affect DNS synchronization and iQuery communication.&nbsp;
More on BIG-IP certificates can be found here: https://support.f5.com/csp/article/K15664&nbsp;
Regards,&nbsp;
Preslav&nbsp;

Forum Discussion

Auto renewal of device certificate

Recent Discussions

How to implement LTM forward proxy client to determine the diversion pool based on the domain name

irule to enable http/2 acceleration

VS FORWARDING & ROUTE

Statistics ›› Analytics : HTTP : Overview

SNI Sites not taking correct certificate.

Related Content

AS3 w/ certificates and renewals..

why the device certificate verify failed when the device certificate is not expired?

unsupported certificate error with device certificates

issue with URL after certificate renewal.

Help F5 Transform the BIG-IP Administrator Certification

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS