Forum Discussion
CirrusF5 Device Management Certificate renewal
Hi All,
I need to manually renew F5 (Ver - 17.5.3.4) device Management Certificate, which is getting expired in 30 days. Actually we have auto cert renewal configured via Sectigo/Venafi but looks like auto renewal was not successful. Please share the complete GUI & CLI steps for Device Management Certificate renewal manually.
Also please share troubleshooting steps to figure out why auto renewal got failed from Venafi external CA.
2 Replies
Preet_pkHi All,
Does anyone have any input on this query.
workoholicNimbostratus
Hello, You can do this below:-
1. Manual Renewal via GUI
(If Generating a CSR for Venafi/Sectigo)
1. Log in to the BIG-IP Configuration Utility (GUI).
2. Navigate to System > Certificate Management > Device Certificate Management > Device Certificate.
3. Click the Renew button.
4. From the Issuer dropdown, select Certificate Authority.
5. Fill in the required fields (Common Name, Organization, etc.) and click Finished.
6. Download the generated .csr file (or copy the text) and submit it to Sectigo/Venafi to request your new certificate.
7. Once you receive the signed certificate, return to System > Certificate Management > Device Certificate Management > Device Certificate and click Import.
8. Select the signed .crt file and complete the import.
If Renewing as Self-Signed (Temporary Fix/Bypass)
1. Follow steps 1-3 above.
2. From the Issuer dropdown, select Self.
3. Update the lifetime (e.g., 365 days) and click Finished. (Note: You will be immediately logged out and will need to accept the new self-signed certificate warning in your browser to log back in).
2. Manual Renewal via CLI (TMSH/Bash)
Connect to your BIG-IP device via SSH and enter the bash shell. The management certificate files are natively stored in /config/httpd/conf/ssl.crt/server.crt and /config/httpd/conf/ssl.key/server.key.
Best Practice: Always back up your current certificate and key before modifying them.
cp /config/httpd/conf/ssl.crt/server.crt /config/httpd/conf/ssl.crt/server.crt.bak
cp /config/httpd/conf/ssl.key/server.key /config/httpd/conf/ssl.key/server.key.bak
1. Retrieve the /shared/tmp/server.csr file and submit it to Venafi/Sectigo.
2. Once you receive the new signed certificate, upload it to the BIG-IP (via SCP/WinSCP) into the /config/httpd/conf/ssl.crt/ directory as server.crt, overwriting the old file.
3. Restart the web service daemon to apply the new certificate into the running configuration:
tmsh restart sys service httpd
tmsh save sys config
If multiple policy folders in Venafi contain a certificate with the identical name, the F5 sync process will pause and throw an alert.
3. For Troubleshooting
DNS & Routing Reachability: Confirm that the BIG-IP management interface still has proper routing and DNS resolution to reach the Venafi Web SDK endpoint. Firewalls or proxy rules can quietly change. Run a quick
curl -vk https://<venafi-endpoint-url> ,,from the F5 bash prompt to verify network reachability and SSL handshakes.
Certificate Import Overlap (Known Race Condition): Per F5 documentation (When used with a Venafi certificate manager, the BIG-IP may fail to pass traffic), if Venafi is configured with frequent, overlapping certificate update polling, it can occasionally push an update that corrupts the certificate locally, causing the auto-import to fail entirely.
