Forum Discussion
Piotr_Lewandows
Altostratus
AltostratusBIG-IQ and certificate management - why certificates are not imported
Hi,
I am quite new to BIG-IQ so maybe this is very obvious question. Anyway I am quite surprised that BIG-IQ is not importing actual certificate files form BIG-IP.
All test done on BIG-IQ 5.2.0 and BIG-IPs VE 13.0.0HF2.
After BIG-IP import all certificates are marked as Unmanaged.
Only way I can find to make certificates managed is to manually export certificates, keys and chain files from BIG-IP device and import into BIG-IQ.
That is a lot of work :-( Are there any automation tools for that?
Assuming that BIG-IQ have both REST API access (ober HTTPS) and SSH access to BIG-IP there should not be problem with transferring actual files from BIG-IP.
I can understand security and technical issues with key files - those are most sensitive data and can/should be protected with passwords - so transfer could not be possible.
But in case of just certificates or chain files there is no security/password, so there should be option to import those from BIG-IPs.
Am I missing something here?
I will as well appreciate any clue how this process can be automated.
Piotr
Madhu_RajagopalEmployee
We have a script to import SSL Certificate, Key & CRL from BIG-IP to BIG-IQ: https://devcentral.f5.com/articles/automate-import-of-ssl-certificate-key-crl-from-big-ip-to-big-iq-31899
Does that help?
natheCirrocumulus
Piotr,
I assume this is BIG-IQ giving you flexibility on what you can do around cert/keys. If you want to manage them from an expiry point of view and they don't need to be on other systems - e.g. other systems aren't going to have them in any client or server ssl profile, then Unmanaged will work.
However, if you do want BIG-IQ to be more of a certificate store, then you will need to import them, as you have found.
You can import the certificate/keys from the BIG-IQ gui itself, from BIG-IQ Device Mgmt Guide, i hope this helps:
When you discover a BIG-IP® device, BIG-IQ® Centralized Management imports its SSL certificates' properties (metadata), but not the actual SSL certificates and key pairs. These certificates display as Unmanaged on the BIG-IQ Certificates & Keys screen. This allows you to monitor each SSL certificate's expiration date from BIG-IQ, without having to log on directly to the BIG-IP device. Convert an unmanaged SSL key certificate and key pair to managed so you can centrally manage it from BIG-IQ Centralized Management. This saves you time because you don't have to log on to individual BIG-IP devices to create, monitor, or deploy certificates. At the top of the screen, click Configuration. On the left, click LOCAL TRAFFIC > Certificate Management > Certificates & Keys . Click the name of the unmanaged certificate. For the Certificate Properties State setting, click the Import button and then: To upload the certificate's file, select Upload File and click the Choose File button to navigate to the certificate file. To paste the content of a certificate file, select Paste Text and paste the certificate's content into the Certificate Source field. For the Key Properties State setting, click the Import button and then: To upload the key's file, select Upload File and click the Choose File button to navigate to the key file. To paste the content of a key file, select Paste Text and paste the key's content into the Key Source field. Click the Save & Close button at the bottom of the screen. The SSL certificate now displays as Managed on the Certificates & Keys screen. You can now assign this SSL certificate and key pair to a Local Traffic Manager clientssl or serverssl profile, and deploy it to a BIG-IP device. For more information, refer to the topic titled Deploying Changes.