Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

How to deploy certificates with BIG-IQ

Go to solution
Stefan_Klotz
Cumulonimbus
Cumulonimbus

‎08-Nov-2022 05:22

I'm wondering how I can create/import certificates (mainly ca bundles) on the BIG-IQ and deploy them to several or all of my BIG-IPs? Under "Configuration" I imported a CA bundle and it will be displayed as "Managed Certificate". But under "Evaluate & Deploy -> Local Traffic & Network" I can choose either:

  • Partial Change: I can select the new certificate, but NO BIG-IP devices can be selected
  • All Changes: Here I can select the BIG-IP devices I want, but the newly created certificate will NOT be displayed as configuration change

Is this normal behavior, because just a certificate is not a "real" configuration item?

How can I avieve this?

Thank you!

Regards Stefan 🙂

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Stefan_Klotz
Cumulonimbus
Cumulonimbus

‎09-Nov-2022 06:27

I found the solution in the meanwhile. The missing piece were the "Pinning Policies" under "Configuration -> Local Traffic". Here you need to assign your newly created items to one or several BIG-IP devices. This also works fine for simply the certificate file itself. No need to create any additional clientSSL profile.

Once pinned, you can create a Deployment with "Source Scope: Partial Changes" and select the newly created certificate. If you now click on "Find Relavant Devices" all BIG-IP devices will be displayed, where you previously pinned the new certificate. After executing the Deployment the certificate is part of the local configuration of all selected BIG-IP devices.

These steps are also required for any other configuration items created on the BIG-IQ. Before deploying them to the required BIG-IP devices, it needs to be pinned first to them.

Thanks anyway!

Regards Stefan 🙂

View solution in original post

0 Kudos
3 REPLIES 3

Go to solution
Mohamed_Ahmed_Kansoh
MVP
MVP

‎08-Nov-2022 06:02 - edited ‎08-Nov-2022 06:04

Hi @Stefan_Klotz  , 
       I have not  worked with BigIQ before , but maybe there is missing configuration , Please check the below Article https://techdocs.f5.com/en-us/bigiq-8-0-0/managing-big-ip-devices-from-big-iq/ssl-certificates.html

I think you need this section : 

"Convert an SSL certificate and key pair from unmanaged so you can deploy them to BIG-IP devices"
_______________________
Regards
Mohamed Kansoh
0 Kudos

Go to solution
Stefan_Klotz
Cumulonimbus
Cumulonimbus
In response to Mohamed_Ahmed_Kansoh

‎09-Nov-2022 01:31

Dear Mohamed,

thanks for your response. As already mentioned the certificate is already managed! But if I check your link again, it seems I need a clientSSL profile. I'll try to make a "dummy" profile and check if this will work then and if this way makes sense to our setup at all.

Regards Stefan 🙂

Go to solution
Stefan_Klotz
Cumulonimbus
Cumulonimbus

‎09-Nov-2022 06:27

I found the solution in the meanwhile. The missing piece were the "Pinning Policies" under "Configuration -> Local Traffic". Here you need to assign your newly created items to one or several BIG-IP devices. This also works fine for simply the certificate file itself. No need to create any additional clientSSL profile.

Once pinned, you can create a Deployment with "Source Scope: Partial Changes" and select the newly created certificate. If you now click on "Find Relavant Devices" all BIG-IP devices will be displayed, where you previously pinned the new certificate. After executing the Deployment the certificate is part of the local configuration of all selected BIG-IP devices.

These steps are also required for any other configuration items created on the BIG-IQ. Before deploying them to the required BIG-IP devices, it needs to be pinned first to them.

Thanks anyway!

Regards Stefan 🙂

0 Kudos
Copyright © 2023 Khoros, LLC