CumulonimbusHow to deploy certificates with BIG-IQ
I'm wondering how I can create/import certificates (mainly ca bundles) on the BIG-IQ and deploy them to several or all of my BIG-IPs? Under "Configuration" I imported a CA bundle and it will be displayed as "Managed Certificate". But under "Evaluate & Deploy -> Local Traffic & Network" I can choose either:
- Partial Change: I can select the new certificate, but NO BIG-IP devices can be selected
- All Changes: Here I can select the BIG-IP devices I want, but the newly created certificate will NOT be displayed as configuration change
Is this normal behavior, because just a certificate is not a "real" configuration item?
How can I avieve this?
Thank you!
Regards Stefan 🙂
I found the solution in the meanwhile. The missing piece were the "Pinning Policies" under "Configuration -> Local Traffic". Here you need to assign your newly created items to one or several BIG-IP devices. This also works fine for simply the certificate file itself. No need to create any additional clientSSL profile.
Once pinned, you can create a Deployment with "Source Scope: Partial Changes" and select the newly created certificate. If you now click on "Find Relavant Devices" all BIG-IP devices will be displayed, where you previously pinned the new certificate. After executing the Deployment the certificate is part of the local configuration of all selected BIG-IP devices.
These steps are also required for any other configuration items created on the BIG-IQ. Before deploying them to the required BIG-IP devices, it needs to be pinned first to them.
Thanks anyway!
Regards Stefan 🙂
