Scripting certificate management

Hi all. I've been asked to take over the certificate management on our F5 Big-IP load balancers. That said, I am not an "F5" guy but rather a PKI guy so this is all new to me. We have a large volume of certificates, so I would like to automate this process as much as possible via scripting. I have a few questions I'm hoping to get some help with:

1. It looks like you manage the F5 load balancers through TMSH. Is that the best way to do this if I plan to script this?
2. Does anyone know of any reference scripts I can take a look at?
3. We generate our certificates from a local Certificate Authority off the devices (on our workstations). It looks like we need to SFTP or SCP the resultant PKCS12 file up to the device. Do I place that in /shared/tmp?
4. We have an Active/Standby HA setup for our load balancers. Is there an order these need to be updated?

From what little I've read so far, it appears there are three steps for our configuration (please correct me if I'm wrong):

• Procure new certificate, upload to devices
• Change the SSL Profiles (client and server) to use that new certificate and appropriate chain
• Save the configuration

Anything else I need to know before I start trying to figure this out? Many thanks!