Forum Discussion

Janus-Paul's avatar
Janus-Paul
Icon for Nimbostratus rankNimbostratus
Jul 12, 2017

Install internal company security certificate on BIG-IQ.

Hi,

 

I try to install company internal certificate on BIG-IQ. I used the K14499.pdf but it still doesn't work. If I open https to BIG-IQ I get a certificate error.

 

Here the steps that I did:

 

  1. Generated a random number file

     

  2. Created a client certificate key

     

  3. Created a client certificate signing request (CSR)

     

  4. Used the CSR to generate certificate and chain on internal certificate service solution and copied it to BIG-IQ (certnew.cer and certnew.p7b)

     

  5. Imported the CA certificate in tmsh crypto and saved it. After this the server was rebooted .

     

Unfortunately if I open a browser and connect to the BIG-IQ the same certificate error appears: "There is a problem with this website’s security certificate. The security certificate presented by this website was issued for a different website's address. The security certificate presented by this website was not issued by a trusted certificate authority".

 

It looks like the new certificate wouldn't be installed correctly. K14499.pdf is written for BIG-IP devices. Is there any instruction for BIG-IQ 5.1?

 

Reg. Janus

 

5 Replies

  • Hi,

     

    Simple question, did you review data about certificate presented by browser? If so is BIG-IQ returning certificate you installed (check cert serial) or default one?

     

    If BIG-IQ is returning newly installed cert then issue is somewhere else. If you are using self signed cert (if I am not wrong from your description) then no browser accept such certificate as safe.

     

    Actually it quite hard to convince some browser that certificate is trusted even if created by internal CA with CA root cert imported into Trusted in browser - some browsers just require your CA cert to be signed by well known authority - at least my experience.

     

    Piotr

     

  • Hi, another simple question did you check common name and subject alternative name is equal to the domain you are using for accesing big iq ? "There is a problem with this website’s security certificate. The security certificate presented by this website was issued for a different website's address. "

     

  • Hi,

     

    yes I did. It is exactly issued for this server (including the domain).

     

    Reg.

     

    Janus

     

  • Ok, and also subject alternative name ? In case yes, it seems a problem with the CAs verification.

     

  • Hi,

     

    finally I solved this issue. It was simpler than I expected. I found the instruction in K52425065. It was enough to copy the new certificate to /config/httpd/conf/ssl.crt/server.crt and restart the webd.

     

    Thank you for all posted help.

     

    Reg.

     

    Janus