Applies To:

Show Versions Show Versions

Manual Chapter: SSL Certificates for BIG-IP Devices
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

SSL Certificates for BIG-IP Devices

In some cases, BIG-IP systems need to exchange device certificates, that is, Secure Sockets Layer (SSL) certificates and keys used to verify each others’ credentials before exchanging data. For example, multiple BIG-IP systems might need to verify credentials before communicating with each other to collect performance data over a wide area network, for global traffic management.

Note: If you are using the device service clustering (DSCTM) feature and want to establish trust among BIG-IP devices, see the guide titled BIG-IP Device Service Clustering: Administration. If you are using SSL certificates to terminate and initiate local SSL traffic, see the guides BIG-IP Local Traffic Manager: Concepts and BIG-IP Local Traffic Manager: Implementations.

To perform mutual authentication, BIG-IP systems can use either self-signed certificates or CA-signed certificates:

Self-signed certificates
When you install BIG-IP software, the application includes a self-signed SSL certificate. A self-signed certificate is an authentication mechanism that is created and authenticated by the system on which it resides.
CA-signed certificates
If your network includes one or more certificate authority (CA) servers, you can replace the self-signed certificate on each BIG-IP system with a CA-signed certificate, that is, a certificate that is signed by a third party. Authenticating BIG-IP systems using CA-signed certificates is more secure than using self-signed certificates.

BIG-IP systems on the network use self-signed or CA-signed certificates for these reasons:

To request authentication
A BIG-IP system can send a certificate to another (target) BIG-IP system to request authentication by that target BIG-IP system. In this context, the certificate is referred to as a device certificate.
To grant authentication
A BIG-IP system can store one or more certificates that it trusts, to check when receiving a device certificate from another BIG-IP system during a request for authentication.

Device certificates

When requesting SSL authentication from another system, the BIG-IP system needs to present its device certificate. On the BIG-IP system, a device certificate is an SSL certificate that a BIG-IP system presents to another device on the network, for authentication purposes. A device certificate can be either a self-signed certificate or a CA-signed certificate.

Using the Configuration utility, you can view, import, renew, or export a device certificate.

You can also import or export a device key. The properties of a device key are:

  • Key type (such as KTYPE_RSA_PRIVATE)
  • Key size (such as 1024 bits)
  • Security type, either normal or FIPS (FIPS-enabled systems only)

Trusted device certificates

The BIG-IP system uses a trusted device certificate or a certificate chain to authenticate another system. For example, a BIG-IP system running Global Traffic Manager system might send a request to a Local Traffic Manager system. In this case, the Local Traffic Manager system receiving the request checks its trusted device certificate or certificate chain in its attempt to authenticate the request.

The SSL protocol supports ten levels of authentication:

Level 0
Certificates are verified by the system to which they belong. These types of certificates are also known as self-signed certificates.
Level 1
Certificates are authenticated by a Certificate Authority server that is separate from the system.
Levels 2 through 9
Certificates are authenticated by additional CA servers, which verify the authenticity of other servers. These multiple levels of authentication are referred to as certificate chains, and allow for a tiered verification system that ensures that only authorized communications occur between servers.

To configure multi-level certificate authentication, you must:

  • Import to each BIG-IP system the trusted device certificates that are necessary to authenticate communications with other BIG-IP systems.
  • Specify the depth of the certificate chain that the BIG-IP system must traverse.

You can view, import, or export a trusted device certificate or certificate chain.

To manage device certificates, log in to the BIG-IP Configuration utility, and on the Main tab, expand System, and click Device Certificates.

Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Additional Comments (optional)