In some cases, BIG-IP systems need to exchange device certificates, that is, Secure Sockets Layer (SSL) certificates and keys used to verify each others’ credentials before exchanging data. For example, multiple BIG-IP systems might need to verify credentials before communicating with each other to collect performance data over a wide area network, for global traffic management.
To perform mutual authentication, BIG-IP systems can use either self-signed certificates or CA-signed certificates:
BIG-IP systems on the network use self-signed or CA-signed certificates for these reasons:
When requesting SSL authentication from another system, the BIG-IP system needs to present its device certificate. On the BIG-IP system, a device certificate is an SSL certificate that a BIG-IP system presents to another device on the network, for authentication purposes. A device certificate can be either a self-signed certificate or a CA-signed certificate.
Using the Configuration utility, you can view, import, renew, or export a device certificate.
You can also import or export a device key. The properties of a device key are:
The BIG-IP system uses a trusted device certificate or a certificate chain to authenticate another system. For example, a BIG-IP system running Global Traffic Manager system might send a request to a Local Traffic Manager system. In this case, the Local Traffic Manager system receiving the request checks its trusted device certificate or certificate chain in its attempt to authenticate the request.
The SSL protocol supports ten levels of authentication:
To configure multi-level certificate authentication, you must:
You can view, import, or export a trusted device certificate or certificate chain.
To manage device certificates, log in to the BIG-IP Configuration utility, and on the Main tab, expand System, and click Device Certificates.