Skip to main content
By default, the audit feature manages only certificates that are in use by a virtual server on the BIGIP systems.
Certificates that are not in use by a virtual server can be added using the configuration form.
Additionally, certificates, which are in use by a virtual server, can be filtered out with the configuration form.
The Certificates page can be accessed from the left-hand navigation under ā€˜Securityā€™.

ā€‹
Viewing Certificates

The tool shows managed certificates, listed by Account, Agent, or Device Group. The certificate information, for each device group, will be populated in accordance to its configuration nightly, but if any certificate information has changed, you will need to manually refresh the device groupā€™s certificate data.
To get the latest data from a device group, under the ā€˜Device Groupā€™ section, select the refresh button.
Click on the expand button of the certificate to view its detailed attributes and associated information

ā€‹
Configuration

Configuration of certificates available to the tool is handled at the device group level.
To modify a device groupā€™s certificate management configuration, go to the device groups tab and select configuration in the top right corner.
Note: Access to the configuration form is also available by going to the left panel, selecting ā€œDevice Groupsā€, and selecting the ā€œCertificates Configurationā€ option under ā€œActionsā€.
Under the configuration tab the following options are available:
  • Enabled / disable the certificate management feature (disabled by default)
  • Set the ā€˜Days Remainingā€™ for a certificateā€™s expiration to trigger an automated notification email
  • Set who will be sent automated notification emails
  • Set domains to include
    • Add certificates by domains, which are included in an ssl profile, but the profile is not included in a virtual server
    • Please see section below regrading domain filtering syntax
  • Set domains exclude
    • Filter out certificates by domains, which otherwise were automatically added
    • Please see section below regrading domain filtering syntax
  • Set files to include
    • Add certificates by file name, which are included in an ssl profile, but the profile is not included in a virtual server
  • Set files to exclude
    • Filter out certificates by file name, which otherwise were automatically added
  • Set subjects to exclude (filter out certificates with subjects, which otherwise were automatically added)
  • Set issuers to exclude (filter out certificates with issuers, which otherwise were automatically added)
    Changes to the configuration require the clicking of the ā€œSaveā€ button to commit the change.
Skipping on issuers or skipping on subjects, requires entries with keys and values.
A list of associated keys definitions are provided in the table below.
KeyAssociated field
CCountry
CNCommon Name
LLocality
OOrganization
STState
Example: To filter out certificates which have a issuer with common name ā€œSectigo RSA Domain Validation Secure Server CAā€, the following entry would be added:
Advanced configuration can be configured using the ā€œJSON CODEā€ button in the lower left hand corner of the configuration screen, though this is beyond the scope of this guide.
Reminder:
The certificate information, for each device group, will be populated in accordance to its configuration nightly, but if any certificate information has changed, you will need to manually refresh the device groupā€™s certificate data.
To get the latest data from a device group, under the the ā€˜Device Groupā€™ section, select the refresh button.

ā€‹
Configuration

Whether setting domains to include or exclude, domain matching the following rules:
  • Entries are taken as literal strings
  • The literal string entries will exact match against a certificates configured domain name (wild cards are not currently supported)
  • The literal string entries will match against a certificates wildcard domain name
Examples: 
entry a = www.cloud.red
entry b = cloud.red
entry c = www.app.cloud.red

certificate 1 = *.cloud.red
certificate 2 = cloud.red
certificate 3 = www.coud.red

entry a will only match certificates 1 and 3

entry b will only match certificate 2

entry c will not match any certificate