We have LTM, DNS, Viprion Hosts and Guests in which running device certificates are self signed. We have to replace these all self signed device certificate with CA signed device certificate. We have already CA which can provide certificates after raising CSR. I'm looking for best practices to renew/replace with minimum service impacts. LTMs and communicating with DNS via iQuery as well.
Your valuable response is highly appreciated.
This article covers how to replace the default device cert with a CA signed cert:
Covers iQuery comms as well. It's the same process where you'll need to add the new cert into their trusted device cert either using the bigip_add script or manually importing via TMUI.
Make sure the new SSL cert is not a wildcard otherwise comms will fail.
Let me know if you need anything else.