Forum Discussion

Altostratus

Dec 04, 2015

How can I change certificate for managment interface for GUI?

Hi, In this moment we have some F5 with diferents modules and all connect with a EM. We have a CA on our company, for this there is a requirement for change the manag interface certificate or ...

LTM

security

StephanManthey

Nacreous

Dec 07, 2015

Hi,

the default cert has a common name of localhost.localdomain and as eneR already pointed out it is best practice to replace it by a cert issued for the device specific hostname.

The cert can be self signed or signed by a certificate authority.

If you let it sign by a CA make sure they leave the certificate purpose as it is (both client and server cert).

In case you have (an) intermediate CA(s) involved and your clients trust the root only it would be required to import the intermediate CA or chain as well. This has to be done on CLI after copying your chain to /config/httpd/conf/ssl.crt/intermediate_ca.crt:

chmod 0644 /config/httpd/conf/ssl.crt/intermediate_ca.crt
tmsh modify / sys httpd ssl-certchainfile /etc/httpd/conf/ssl.crt/intermediate_ca.crt
bigstart restart httpd

Certs are generally stored in PEM format. Be very careful if you plan to deploy GTM or LinkController. The syncgroup trust is based on the device certs and the purpose attributes (client/server) and chain of trust are mandatory.

Thanks, Stephan

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)