Forum Discussion
El_Bendecido_12
Altostratus
AltostratusHow can I change certificate for managment interface for GUI?
Hi,
In this moment we have some F5 with diferents modules and all connect with a EM. We have a CA on our company, for this there is a requirement for change the manag interface certificate or make valid the certificate current. Could you help me with a procedure for resolve the alert invalid the certificate?
2 Replies
eneRCirrostratus
Hi,
in the F5 GUI go to Main --> System --> Device Certificates and import/replace the existing certificate with your one of you company.
StephanMantheyNacreous
Hi,
the default cert has a common name of localhost.localdomain and as eneR already pointed out it is best practice to replace it by a cert issued for the device specific hostname. The cert can be self signed or signed by a certificate authority. If you let it sign by a CA make sure they leave the certificate purpose as it is (both client and server cert). In case you have (an) intermediate CA(s) involved and your clients trust the root only it would be required to import the intermediate CA or chain as well. This has to be done on CLI after copying your chain to /config/httpd/conf/ssl.crt/intermediate_ca.crt:chmod 0644 /config/httpd/conf/ssl.crt/intermediate_ca.crt tmsh modify / sys httpd ssl-certchainfile /etc/httpd/conf/ssl.crt/intermediate_ca.crt bigstart restart httpdCerts are generally stored in PEM format. Be very careful if you plan to deploy GTM or LinkController. The syncgroup trust is based on the device certs and the purpose attributes (client/server) and chain of trust are mandatory.
Thanks, Stephan
