Technical Forum
Ask questions. Discover Answers.
cancel
Showing results forΒ 
Search instead forΒ 
Did you mean:Β 

How to deploy certificates with BIG-IQ

Stefan_Klotz
Cumulonimbus
Cumulonimbus

I'm wondering how I can create/import certificates (mainly ca bundles) on the BIG-IQ and deploy them to several or all of my BIG-IPs? Under "Configuration" I imported a CA bundle and it will be displayed as "Managed Certificate". But under "Evaluate & Deploy -> Local Traffic & Network" I can choose either:

  • Partial Change: I can select the new certificate, but NO BIG-IP devices can be selected
  • All Changes: Here I can select the BIG-IP devices I want, but the newly created certificate will NOT be displayed as configuration change

Is this normal behavior, because just a certificate is not a "real" configuration item?

How can I avieve this?

Thank you!

Regards Stefan πŸ™‚

1 ACCEPTED SOLUTION

Stefan_Klotz
Cumulonimbus
Cumulonimbus

I found the solution in the meanwhile. The missing piece were the "Pinning Policies" under "Configuration -> Local Traffic". Here you need to assign your newly created items to one or several BIG-IP devices. This also works fine for simply the certificate file itself. No need to create any additional clientSSL profile.

Once pinned, you can create a Deployment with "Source Scope: Partial Changes" and select the newly created certificate. If you now click on "Find Relavant Devices" all BIG-IP devices will be displayed, where you previously pinned the new certificate. After executing the Deployment the certificate is part of the local configuration of all selected BIG-IP devices.

These steps are also required for any other configuration items created on the BIG-IQ. Before deploying them to the required BIG-IP devices, it needs to be pinned first to them.

Thanks anyway!

Regards Stefan πŸ™‚

View solution in original post

3 REPLIES 3

Hi @Stefan_Klotz  , 
       I have not  worked with BigIQ before , but maybe there is missing configuration , Please check the below Article https://techdocs.f5.com/en-us/bigiq-8-0-0/managing-big-ip-devices-from-big-iq/ssl-certificates.html

I
 think you need this section : 

"Convert an SSL certificate and key pair from unmanaged so you can deploy them to BIG-IP devices"
_______________________
Regards
Mohamed Kansoh

Dear Mohamed,

thanks for your response. As already mentioned the certificate is already managed! But if I check your link again, it seems I need a clientSSL profile. I'll try to make a "dummy" profile and check if this will work then and if this way makes sense to our setup at all.

Regards Stefan πŸ™‚

Stefan_Klotz
Cumulonimbus
Cumulonimbus

I found the solution in the meanwhile. The missing piece were the "Pinning Policies" under "Configuration -> Local Traffic". Here you need to assign your newly created items to one or several BIG-IP devices. This also works fine for simply the certificate file itself. No need to create any additional clientSSL profile.

Once pinned, you can create a Deployment with "Source Scope: Partial Changes" and select the newly created certificate. If you now click on "Find Relavant Devices" all BIG-IP devices will be displayed, where you previously pinned the new certificate. After executing the Deployment the certificate is part of the local configuration of all selected BIG-IP devices.

These steps are also required for any other configuration items created on the BIG-IQ. Before deploying them to the required BIG-IP devices, it needs to be pinned first to them.

Thanks anyway!

Regards Stefan πŸ™‚