SOL6353: Updating an SSL certificate on a BIG-IP GTM or Link Controller system

SOL6353: Updating an SSL certificate on a BIG-IP GTM or Link Controller system

---

Updated: 6/24/09 11:47 AM

To update the SSL certificate on a BIG-IP GTM or BIG-IP Link Controller system, you must perform the following procedures:

• Renew the self-signed device certificate on the BIG-IP GTM or BIG-IP Link Controller for another year
• Run the bigip_add script on remote BIG-IP GTM or BIG-IP Link Controller systems

Additionally, you have the option to perform the following procedure:

• Renew and import the self-signed device certificate on the BIG-IP GTM or BIG-IP Link Controller for longer than one year

Note: Using a third party SSL certificate for iQuery communication is supported beginning with BIG-IP GTM version 9.3. For more information, refer to SOL7717: Change in Behavior: The BIG-IP GTM and BIG-IP Link Controller support third party SSL certificates. Using a third party SSL certificate in previous versions causes BIG-IP GTM iQuery SSL failure. For more information, refer to SOL6692: Using a third party SSL certificate causes BIG-IP GTM iQuery SSL to fail.

Important: As a result of a known issue, the import functionality for trusted device certificates, performed in the Renewing and importing the device certificate on the BIG-IP GTM procedure, stores the certificate in the wrong file. As a result, the Moving trusted device certificates to the proper file procedure is required. For information, refer to SOL6996: The trusted device certificate is imported to the incorrect file.

Renewing the self-signed device certificate on the BIG-IP GTM or BIG-IP Link Controller for another year

To renew and import the self-signed device certificate on the BIG-IP GTM or BIG-IP Link Controller, perform the following procedure:

1. Log in to the Configuration utility.
2. Click System.
3. Click Device Certificates.
4. Click the Renew button.
5. Select Self from the Issuer drop-down menu.
6. Select the appropriate country from the Country drop-down menu.
7. Click the Finished button.

Running the bigip_add script on remote BIG-IP GTM or BIG-IP Link Controller systems

To run the bigip_add utility on the remote BIG-IP GTM or BIG-IP Link Controller system in a synchronization group in order to obtain the BIG-IP GTM or BIG-IP Link Controller system's new certificate, type the following command from the command line of the remote BIG-IP GTM or BIG-IP Link Controller:

bigip_add

OPTIONAL: Renewing and importing the self-signed device certificate on the BIG-IP GTM or BIG-IP Link Controller for longer than one year

Note: Beginning in BIG-IP version 10.0.0, self-signed device certificates validity can be adjusted within the Configuration utility. For more information, refer to SOL10233: Change in Behavior: Self-signed device certificates lifetime value can be configured within the Configuration utility.

To renew and import the self-signed device certificate on the BIG-IP GTM or BIG-IP Link Controller for longer than one year, perform the following procedure:

Note: The following procedure is optional and should only be used if you want to extend the expiration time of the self-signed certificate, as this procedure does not allow you to change any information within the certificate other than the expiration date.

1. Log in to the command line.
2. Change directories to the /config/httpd/conf/ssl.crt directory by typing the following command:

   cd /config/httpd/conf/ssl.crt

3. Convert the server.crt certificate to a certificate signing request .csr by typing the following command:

   openssl x509 -x509toreq -in server.crt -out server.csr -signkey /config/httpd/conf/ssl.key/server.key

4. Using the new CSR, specify the number of days for which the certificate should be valid by typing the following command:

   openssl x509 -req -in server.csr -signkey /config/httpd/conf/ssl.key/server.key -days <# of days> -out server.crt

5. Replace <# of days> with the number of days in year increments for which you want the certificate to be valid. For example, if you want to make the certificate valid for one year, type the following command:

   openssl x509 -req -in server.csr -signkey /config/httpd/conf/ssl.key/server.key -days 365 -out server.crt

   Additionally, you can use the following quick reference table to select the number of years for which you want the certificate to be valid:

   Year(s)	Number of Days
   1	365
   2	730
   5	1825
   10	3650

6. Restart the web server daemon by typing the following command:

   bigstart restart httpd

7. Copy the new extended expiration self-signed certificate to the trusted device certificate file by typing the following command:

   cat /config/httpd/conf/ssl.crt/server.crt >> /config/big3d/client.crt

8. Copy the new extended expiration self-signed certificate to the trusted server certificate file by typing the following command:
   
   cat /config/httpd/conf/ssl.crt/server.crt >> /config/gtm/server.crt
9. To run the bigip_add script on the remote BIG-IP GTM or BIG-IP LC system in a synchronization group in order to obtain the BIG-IP GTM or BIG-IP Link Controller system's new certificate, type the following command from the command line of the remote BIG-IP GTM or BIG-IP Link Controller:

   bigip_add