We are planning to update our Device Certificate and our setup: 2 Big IP 11.5.4 (Sync Group Peers).
1) When we renew the self-signed device certificate through GUI, will it include the certificate key? or How can we change the certificate key to 2048 bits? Currently, we have this warning - "This system's device certificate uses a key size that is considered insecure. It is strongly recommended that you use a certificate with a key size of at least 2048 bits."
2) Will the login account disconnect when we renew the certificate through GUI?
3) Will the sessions on virtual servers disconnect when we renew the certificate or when we reinitalize the iQuery? or Is there a downtime on our customer's end?
Thank you for your help!
1) To create a new cert with a private key that is 2048 bits follow the "Generating a new self-signed device certificate and private key" procedure in K9114: Creating a new SSL device certificate and key pair. This will overwrite the existing cert and key in /config/httpd/conf/ssl.crt/server.crt and /config/httpd/conf/ssl.key/server.key so if you need to save those for some reason, be sure to make copies before running the command from the procedure. If needed, this article has more detail specific to renewing certs as opposed to creating new: K6353: Updating a self-signed SSL device certificate on a BIG-IP system.
2) Yes. "Renewing the device certificate requires you to reauthenticate if you are using the Configuration utility"
3) Updating the device certificate has no effect on virtual server traffic. Reinitializing iQuery communication involves restarting big3d and gtmd and this should not disrupt existing virtual server connections since these have already resolved domain names and connected; however, iQuery connectivity will be briefly disrupted and the BIG-IP GTM/DNS system cannot respond to any wide IP queries until the gtmd is finished restarting.
Sounds like you already know this, but you need to exchange the new device certs with GTM/DNS sync group peers and re-establish the iQuery connection so it will start using the new certificate. Both K6353 and K9114 have sections about this.
Also note that 11.5.x is no longer supported per K5903: BIG-IP software support policy.
For renewal of certs in DSC setup you need to follow K13946. The Device Certificate used for the GUI and iQuery is a separate entity from the DSC Device Trust Certificates. There is more detail about this distinction in: K15664: Overview of BIG-IP device certificates (11.x - 15.x).