Forum Discussion
Sep 14, 2013
You can use the following script to modify a self-signed device certificate on your BIG-IPs after adjusting the parameters accordingly.
It will also reset the device trust and modify the trusted certificate.
The syntax can be used to create a 2.048 bit key and needs to be changed to craft a CSR to get signed by your own CA.
Be aware, that the device trust used to break after changing the device cert.
Have a look at this thread for scripts to modify names, certs and reestablish trust and device group for 2 devices.
! /bin/bash
unit="bigip171.lb-net.bit"
org="LB-NET"
ou="LAB"
city="Frankfurt"
state="Germany"
country="DE"
bigstart stop httpd
rm -f /config/httpd/conf/ssl.crt/server.crt /config/httpd/conf/ssl.key/server.key
tmsh create sys crypto key server.key consumer webserver key-type rsa-private security-type normal key-size 2048
tmsh create sys crypto cert server.crt consumer webserver key server.key lifetime 3650 common-name "${unit}" organization "${org}" ou "${ou}" city "${city}" state "${state}" country "${country}"
bigstart start httpd
cat /config/httpd/conf/ssl.crt/server.crt > /config/big3d/client.crt
cat /config/httpd/conf/ssl.crt/server.crt > /config/gtm/server.crt
tmsh delete cm trust-domain all
sleep 5
tmsh mv cm device `tmsh list cm device one-line | grep 'self-device true' | awk '{print $3}'` ${unit}