How do we import self-signed cert to BIG-IP before runtime-init and other extensions are downloaded

[pedley-f5]

All of our devices are behind a proxy that does decryption. Therefore, any calls to download runtime-init and other extensions called by runtime init fail because the BIG-IP doesn't recognize the self-signed cert. Is there an option to get our cert chain up to the BIG-IP CA before calling runtime-init from the CFTs?

[mikeshimkus]

Hi @pedley-f5, I assume you are using runtime init v2.0, since that was the first version to support making requests through a proxy.

You would need to customize our CFTs to either accept the content of your cert as a parameter which you could save to a local file and reference in the startup script, or download it from a location accessible to the instance within the startup script, and then pass it to the curl commands that download the runtime init package and config file. Examples of both saving params to a file and downloading files at init time are in the bigip standalone module: https://github.com/F5Networks/f5-aws-cloudformation-v2/blob/07a63054424ef38082e301ca5da66d928d9f7bdd/examples/modules/bigip-standalone/bigip-standalone.yaml#L1494

Within runtime init there's the option to specify trusted CA bundles for the various providers (not globally)...you can search https://github.com/F5Networks/f5-bigip-runtime-init/blob/main/src/schema/base_schema.json for trustedCertBundles for examples. This would require customizing the runtime init example configs as well.

Info on customizing our CFTs is here: https://github.com/F5Networks/f5-aws-cloudformation-v2/tree/main/examples/failover#changing-the-big-ip-deployment