Task
● Complete all Labs from 1.1 to 1.4 before starting this lab
● On BIGIQ-CM create a certificate of key type RSA with size 2048 bits and set the below parameters
o Name: bigiq_uninets
o Issuer: Self
o Common Name: bigiq.uninets.com
o Division: bigiqtraining
o Organization: Uninets
o Locality: Gurgaon
o State: Haryana
o Country: India
o Email: info@uninets.com
o Lifetime: 30 Days
o Password: uninets
● Assign this certificate to BIGIP-LTM
● On BIGIQ-CM create a deployment name bigiq_03_deploy for deploying the certificate to BIGIP-LTM
● Verify the latest certificates are pushed to BIGIP-LTM
Note: BIGIP Device is Discovered using management IP address in this lab
Explanation
BIG IQ can monitor the status of certificates on managed BIG IP devices and deploy certificates and keys to these devices. When a BIG IP device has been discovered BIG IQ gathers information on the properties and metadata of its installed SSL certificates and keys used for traffic management so they can be monitored though it does not import the actual objects.
This information is listed in the Configuration->LOCAL TRAFFIC->Certificate Management-> Certificate & Keys area. This includes certificates or bundles of certificates distributed as a part of BIG IP operating system and those certs that have been installed later by admin.
The certificate details include the device where they are discovered, their creation, their expiration date and their current status. Their Status is indicated by a yellow, red or green icon; the certificate is close to expiry or has expired or is active.
The SSL certificates State is displayed as unmanaged on the BIG IQ. Before these can be deployed they must be converted to manage by uploading both key and certificate to the BIG IQ.
There are several options available within the certificates & Keys area to manage certificates and their associated keys.
Click Create to build your own self signed or third party signed certificate. Below depicts the self-signed certificate.
Once it has been created its Status is listed as active or green and its State is listed as managed.
The import option allows you to import your own certificates and keys onto the BIG IQ system. The generate Report option allows you to create and download a CSV report on the certificate metadata.
The Alert Setting option directs you to the Monitoring->ALERTS & NOTIFICATIONS area where alerts are configured for certificate expiry
Further options Clone and Delete are available under More option once a certificate is selected.
A Cert Revocation List (CRL) is a list of digital certificates that have been revoked by issuing certificate Authority (CA) and should no longer be trusted. CRL lists can be uploaded to the BIG IQ at Configuration->LOCAL TRAFFIC->Certificate Management->Certificate Revocation Lists
Configuration and Verification
You already have a BIGIP-LTM discovered on BIGIQ-CM. We can use BIG IQ to centrally create and deploy certificates to manage BIG IP devices.
To create certificate on BIGIQ-CM, go to Configuration->LOCAL TRAFFIC->Certificate Management->Certificates & Keys and click Create
It brings you a screen where you can fill all certificate details provided in the task.
Scroll down further to fill more details line Key Type, Key Size, and password. In our case enter password and keep other values as default. Click Save & Close
It brings back to the certificate & keys page where you can see that this certificate is created, mouse hover to yellow triangle on status of this certificate. It says that this certificate is expiring in a month time as you configured its expiry to be 30 days.
Now assign the newly create certificate to BIGIP-LTM, go to the Configuration->LOCAL TRAFFIC->Pinning Policies, there you can discovered devices. Click on the device name
It opens a screen where you can select SSL certificates and SSL keys. Go to the lower sub window on the left hand side and select SSL certificates from top down list as shown below
Click on Add Selected
Repeat the same steps for SSL keys
The certificate object is now pinned to that BIGIP device. You can verify that both SSL certificate and SSL keys are added on the above sub window
Click on Save & Close to continue
You are returned to the main screen of Pinning Policies here Pinning Object count has increased to 14
Now create a deployment, go to Deployment->EVALUATE & DEPLOY->Local Traffic & Network. In the Deployment section click on Create
It opens a page where fill the deployment name and set the target device and keep other values as default. Click Create to continue
It brings you back to the Evaluate and Deploy page, you can see that the deployment name is there under evaluations. Click on view in the Differences column.
Here you can see that only SSL cert and SSL key are added for deployment
Click on cancel and select bigiq_03_deploy and click on deploy
It asks for confirmation before deploying changes, click on deploy to continue
You can check in section Deployment that this deployment has been fully completed
Now you can verify whether this certification has been pushed on BIGIP-LTM devices or not Login to BIGIP-LTM and go to System->File Management->SSL Certificate List
Click on bigiq_uninets to see the details of this certificate, click on Key to lists the key
So certificate has successfully been deployed on BIGIP-LTM device
Class Sessions
