Forum Discussion

Piotr_Lewandows's avatar
Piotr_Lewandows
Icon for Altostratus rankAltostratus
Jul 10, 2017

BIG-IQ and certificate management - why certificates are not imported

Hi,

 

I am quite new to BIG-IQ so maybe this is very obvious question. Anyway I am quite surprised that BIG-IQ is not importing actual certificate files form BIG-IP.

 

All test done on BIG-IQ 5.2.0 and BIG-IPs VE 13.0.0HF2.

 

After BIG-IP import all certificates are marked as Unmanaged.

 

Only way I can find to make certificates managed is to manually export certificates, keys and chain files from BIG-IP device and import into BIG-IQ.

 

That is a lot of work :-( Are there any automation tools for that?

 

Assuming that BIG-IQ have both REST API access (ober HTTPS) and SSH access to BIG-IP there should not be problem with transferring actual files from BIG-IP.

 

I can understand security and technical issues with key files - those are most sensitive data and can/should be protected with passwords - so transfer could not be possible.

 

But in case of just certificates or chain files there is no security/password, so there should be option to import those from BIG-IPs.

 

Am I missing something here?

 

I will as well appreciate any clue how this process can be automated.

 

Piotr

 

automation
BIG-IP
BIG-IQ
certificate
devops
import
key
manage
security

2 Replies

Sort By
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Jul 10, 2017

    Piotr,

    I assume this is BIG-IQ giving you flexibility on what you can do around cert/keys. If you want to manage them from an expiry point of view and they don't need to be on other systems - e.g. other systems aren't going to have them in any client or server ssl profile, then Unmanaged will work.

    However, if you do want BIG-IQ to be more of a certificate store, then you will need to import them, as you have found.

    You can import the certificate/keys from the BIG-IQ gui itself, from BIG-IQ Device Mgmt Guide, i hope this helps:

     When you discover a BIG-IP® device, BIG-IQ® Centralized Management imports its SSL certificates' properties (metadata), but not the actual SSL certificates and key pairs. These certificates display as Unmanaged on the BIG-IQ Certificates & Keys screen. This allows you to monitor each SSL certificate's expiration date from BIG-IQ, without having to log on directly to the BIG-IP device.
Convert an unmanaged SSL key certificate and key pair to managed so you can centrally manage it from BIG-IQ Centralized Management. This saves you time because you don't have to log on to individual BIG-IP devices to create, monitor, or deploy certificates.
At the top of the screen, click Configuration.
On the left, click LOCAL TRAFFIC > Certificate Management > Certificates & Keys .
Click the name of the unmanaged certificate.
For the Certificate Properties State setting, click the Import button and then:
To upload the certificate's file, select Upload File and click the Choose File button to navigate to the certificate file.
To paste the content of a certificate file, select Paste Text and paste the certificate's content into the Certificate Source field.
For the Key Properties State setting, click the Import button and then:
To upload the key's file, select Upload File and click the Choose File button to navigate to the key file.
To paste the content of a key file, select Paste Text and paste the key's content into the Key Source field.
Click the Save & Close button at the bottom of the screen.
The SSL certificate now displays as Managed on the Certificates & Keys screen.
You can now assign this SSL certificate and key pair to a Local Traffic Manager clientssl or serverssl profile, and deploy it to a BIG-IP device. For more information, refer to the topic titled Deploying Changes.