Forum Discussion

Stefan_Klotz's avatar
Stefan_Klotz
Icon for Cumulonimbus rankCumulonimbus
Nov 08, 2022
Solved

How to deploy certificates with BIG-IQ

I'm wondering how I can create/import certificates (mainly ca bundles) on the BIG-IQ and deploy them to several or all of my BIG-IPs? Under "Configuration" I imported a CA bundle and it will be displ...
application delivery
BIG-IQ
certificates
  • Stefan_Klotz's avatar
    Stefan_Klotz
    Nov 09, 2022

    I found the solution in the meanwhile. The missing piece were the "Pinning Policies" under "Configuration -> Local Traffic". Here you need to assign your newly created items to one or several BIG-IP devices. This also works fine for simply the certificate file itself. No need to create any additional clientSSL profile.

    Once pinned, you can create a Deployment with "Source Scope: Partial Changes" and select the newly created certificate. If you now click on "Find Relavant Devices" all BIG-IP devices will be displayed, where you previously pinned the new certificate. After executing the Deployment the certificate is part of the local configuration of all selected BIG-IP devices.

    These steps are also required for any other configuration items created on the BIG-IQ. Before deploying them to the required BIG-IP devices, it needs to be pinned first to them.

    Thanks anyway!

    Regards Stefan 🙂

Stefan_Klotz's avatar
Stefan_Klotz
Icon for Cumulonimbus rankCumulonimbus
Nov 09, 2022

I found the solution in the meanwhile. The missing piece were the "Pinning Policies" under "Configuration -> Local Traffic". Here you need to assign your newly created items to one or several BIG-IP devices. This also works fine for simply the certificate file itself. No need to create any additional clientSSL profile.

Once pinned, you can create a Deployment with "Source Scope: Partial Changes" and select the newly created certificate. If you now click on "Find Relavant Devices" all BIG-IP devices will be displayed, where you previously pinned the new certificate. After executing the Deployment the certificate is part of the local configuration of all selected BIG-IP devices.

These steps are also required for any other configuration items created on the BIG-IQ. Before deploying them to the required BIG-IP devices, it needs to be pinned first to them.

Thanks anyway!

Regards Stefan 🙂