Forum Discussion

Here_There's avatar
Icon for Nimbostratus rankNimbostratus
Oct 22, 2023

Changing self-signed device certificate impact


I wanna know if there is any impact from changing the F5 self-signed device certificate to a CA-signed one

- Is there any reboot?

- any disruption connection will affect the LTM services?

- Does any client certificate need to be applied?

- any out-of-sync issue ?

kindly note I found many sites describing the way to do it, but none describes the impacts

and what is required to prepare before the change.



5 Replies

  • EDITORS NOTE: this question was posted in our Suggestions section in October - Pinning it to the top of the forum so others may get a chance to review/help if possible.


    Here_There - thanks for the post. I think this should be a question in our Technical Forum
    I will move it there and do something to feature it so the community has a chance to take a look.

  • Here_There Are you referring to the SSL cert that is used for the F5 GUI? If you are referring to that one, the GUI will become inaccessible while httpd restarts and I believe that's it. Or are you referring to the SSL cert used for HA, or the SSL client profile?

  • Hi Here_There,

    there is a procedure for changing the BIG-IP system device certificate, that's the one for the WebUI:
    K16951115: Changing the BIG-IP system device certificate using the Configuration utility
    There is a different procedure for replacing the Device Trust Certificates. those are the certs used in a DSC / HA setup:
    K47052252: Procedure to renew Device Trust Certificates on BIG-IP system
    And lastly there is the default.crt in you find in System > Certificate Management > Traffic Certificate Management > SSL Certificate List. No need to change anything here.


  • Hi Here There

    1. Please let me know F5 module ? Example GTM/LTM ?

    2. In case you have function IQEURY between F5 device, IQUERY connection will terminate, You have to add CA on all device that you trust and bigip add again

    3. In case you have redundant device, You have to add peer device to device group again


    I hope this information wil help you

  • Here_There 
    Looks like some really good advice on your issue.
    Were you able to progress with your change to the CA-Signed device?

    Please choose "Accept as Solution" on any of the replies that proved helpful/correct.
    Cheers, Lief