Auto renewal of device certificate

Question

Hello everyone, &nbsp;
We have a customer who has two f5 machines in HA pair. And for them we have device trust based on default device certificates. After this trust was established we import new certificate, generated from our customer's CA, and they expired after two years. &nbsp;
We want to automate the process of renewal of certificates after their expiration.
After research we see only how to accomplish this manually.&nbsp;
Do you have any ideas?&nbsp;
Thanks in advance.&nbsp;
Regards,&nbsp;
Preslav&nbsp;

preslav_ilevski · Answer

Hi all,&nbsp;
I found the explanation. There's no option to renew device certificate automatically. And one correction - the device certificate is not used to establish trust relationship between HA units. In order to establish secure channel between HA peers we use /config/ssl/ssl.crt/dtdi.crt and /config/ssl/ssl.crt/dtca.crt certificates. &nbsp;
Device certificate (System -&gt; Device certificates -&gt; Device certificate) does not affect DSC (HA) synchronization. It does, however, affect DNS synchronization and iQuery communication.&nbsp;
More on BIG-IP certificates can be found here: https://support.f5.com/csp/article/K15664&nbsp;
Regards,&nbsp;
Preslav&nbsp;

Forum Discussion

Auto renewal of device certificate

1 Reply

Recent Discussions

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Can iRule be used to perform exception of IPI category based on Geolocation

[ASM] - what is "Browser Challange file" ?

LDAPS and renegotiation

Related Content

unsupported certificate error with device certificates

issue with URL after certificate renewal.

TLSv1.0 and TLSv1.1 disable in Device Certificate

Device certificate Issuer and other information not updating on the browser's certificate details

Re: Management Certificate