Applies To:

Show Versions Show Versions

Manual Chapter: SSL Certificates for BIG-IP Devices
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

In some cases, BIG-IP® systems need to exchange device certificates, that is, Secure Sockets Layer (SSL) certificates and keys used to verify each others credentials before exchanging data. For example, multiple BIG-IP systems might need to verify credentials before communicating with each other to collect performance data over a wide area network, for global traffic management.
Note: If you are using the device service clustering feature (DSCTM), see the BIG-IP® Redundant Systems Configuration Guide. If you are using SSL certificates to terminate and initiate local SSL traffic, see the guides BIG-IP® Local Traffic Manager: Concepts and BIG-IP® Local Traffic Manager: Implementations.
To perform mutual authentication, BIG-IP systems can use either self-signed certificates or CA-signed certificates:
Self-signed certificates
When you install BIG-IP software, the application includes a self-signed SSL certificate. A self-signed certificate is an authentication mechanism that is created and authenticated by the system on which it resides.
CA-signed certificates
If your network includes one or more certificate authority (CA) servers, you can replace the self-signed certificate on each BIG-IP system with a CA-signed certificate, that is, a certificate that is signed by a third party. Authenticating BIG-IP systems using CA-signed certificates is more secure than using self-signed certificates.
To request authentication
A BIG-IP system can send a certificate to another (target) BIG-IP system to request authentication by that target BIG-IP system. In this context, the certificate is referred to as a device certificate.
To grant authentication
A BIG-IP system can store one or more certificates that it trusts, to check when receiving a device certificate from another BIG-IP system during a request for authentication.
When requesting SSL authentication from another system, the BIG-IP system need to present its device certificate. On the BIG-IP system, a device certificate is an SSL certificate that a BIG-IP system presents to another device on the network, for authentication purposes. A device certificate can be either a self-signed certificate or a CA-signed certificate.
Security type, either Normal or FIPS (FIPS-enabled systems only)
The BIG-IP system uses a trusted device certificate or a certificate chain to authenticate another system. For example, a BIG-IP system running Global Traffic ManagerTM system might send a request to a Local Traffic ManagerTM system. In this case, the Local Traffic Manager system receiving the request checks its trusted device certificate or certificate chain in its attempt to authenticate the request.
Level 0
Certificates are verified by the system to which they belong. These types of certificates are also known as self-signed certificates.
Level 1
Certificates are authenticated by a Certificate Authority server that is separate from the system.
Levels 2 through 9
Certificates are authenticated by additional CA servers, which verify the authenticity of other servers. These multiple levels of authentication are referred to as certificate chains, and allow for a tiered verification system that ensures that only authorized communications occur between servers.
Import on to each BIG-IP system the trusted device certificates that are necessary to authenticate communications with other BIG-IP systems.
To manage device certificates, log in to the BIG-IP Configuration utility, and on the Main tab, expand System, and click Device Certificates.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Additional Comments (optional)