Manual Chapter : Authenticating with SSL Certificates Signed by a Third Party

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 17.0.0, 16.1.5, 16.1.4, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0

BIG-IP DNS

  • 17.0.0, 16.1.5, 16.1.4, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
Manual Chapter

Authenticating with SSL Certificates Signed by a Third Party

Overview: Authenticating with SSL certificates signed by a third party

BIG-IP systems use Secure Sockets Layer (SSL) authentication to verify the authenticity of the credentials of systems with which data exchange is necessary.
BIG-IP software includes a self-signed SSL certificate. If your network includes one or more certificate authority (CA) servers, you can also install SSL certificates that are signed by a third party. The BIG-IP systems exchange SSL certificates, and use a CA server to verify the authenticity of the certificates.
The
big3d
agent on all BIG-IP systems and the
gtmd
agent on BIG-IP DNS systems use the certificates to authenticate communication between the systems.

About SSL authentication levels

SSL supports ten levels of authentication (also known as certificate depth):
  • Level 0 certificates (self-signed certificates) are verified by the system to which they belong.
  • Level 1 certificates are authenticated by a CA server that is separate from the system.
  • Levels 2 - 9 certificates are authenticated by additional CA servers that verify the authenticity of other servers. These multiple levels of authentication (referred to as
    certificate chains
    ) allow for a tiered verification system that ensures that only authorized communications occur between servers.

Configuring Level 1 SSL authentication

You can configure BIG-IP systems for Level 1 SSL authentication. Before you begin, ensure that the systems you are configuring include the following:
  • A signed certificate/key pair.
  • The root certificate from the CA server.

Importing the device certificate signed by a CA server

To configure the BIG-IP system for Level 1 SSL authentication, import the device certificate signed by the CA server.
Perform this procedure on all BIG-IP systems that you want to handle Level 1 SSL authentication.
  1. On the Main tab, click
    System
    Device Certificates
    .
    The Device Certificate screen opens.
  2. Click
    Import
    .
  3. From the
    Import Type
    list, select
    Certificate and Key
    .
  4. For the
    Certificate Source
    setting, select
    Upload File
    and browse to select the certificate signed by the CA server.
  5. For the
    Key Source
    setting, select
    Upload File
    and browse to select the device key file.
  6. Click
    Import
    .

Importing the root certificate for the gtmd agent

Before you start this procedure, ensure that you have the root certificate from your CA server available.
To set up the system to use a third-party certificate signed by a CA server, replace the existing certificate file for the
gtmd
agent with the root certificate of your CA server.
Perform this procedure on only one BIG-IP DNS system in the BIG-IP DNS synchronization group. The system automatically synchronizes the setting with the other systems in the group.
  1. On the Main tab, click
    DNS
    GSLB
    Servers
    Trusted Server Certificates
    .
    The Trusted Server Certificates screen opens.
  2. Click
    Import
    .
  3. From the
    Import Method
    list, select
    Replace
    .
  4. For the
    Certificate Source
    setting, select
    Upload File
    and browse to select the root certificate file.
  5. Click
    Import
    .

Importing the root certificate for the big3d agent

Before you start this procedure, ensure that the root certificate from your CA server is available.
Perform this procedure on all BIG-IP systems that you want to configure for Level 1 SSL authentication.
  1. On the Main tab, click
    System
    Device Certificates
    Trusted Device Certificates
    .
    The Trusted Device Certificates screen opens.
  2. Click
    Import
    .
  3. From the
    Import Method
    list, select
    Replace
    .
  4. For the
    Certificate Source
    setting, select
    Upload File
    and browse to select the certificate signed by the CA server.
  5. Click
    Import
    .

Verifying the certificate exchange

You can verify that you installed the certificate correctly, by running the following commands on all BIG-IP systems that you configured for Level 1 SSL authentication.
iqdump <IP address of BIG-IP you are testing> iqdump <IP address of BIG-IP peer system, if testing a redundant system configuration>
If the certificate was installed correctly, these commands display a continuous stream of information.

Implementation Results

The BIG-IP systems are now configured for Level 1 SSL authentication.

Configuring certificate chain SSL authentication

You can configure BIG-IP systems for certificate chain SSL authentication.

Creating a certificate chain file

Before you start this procedure, ensure that you have the certificate files from your CA servers available.
Create a certificate chain file that you can use to replace the existing certificate file.
  1. Using a text editor, create an empty file for the certificate chain.
  2. Still using a text editor, copy an individual certificate from its own certificate file and paste the certificate into the file you created in step 1.
  3. Repeat step 2 for each certificate that you want to include in the certificate chain.
You now have a certificate chain file.

Importing the device certificate from the last CA server in the chain

Import the device certificate signed by the last CA in the certificate chain.
Perform this procedure on all BIG-IP systems that you want to configure for certificate chain SSL authentication.
  1. On the Main tab, click
    System
    Device Certificates
    .
    The Device Certificate screen opens.
  2. Click
    Import
    .
  3. From the
    Import Type
    list, select
    Certificate and Key
    .
  4. For the
    Certificate Source
    setting, select
    Upload File
    and browse to select the certificate signed by the CA server.
  5. For the
    Key Source
    setting, select
    Upload File
    and browse to select the device key file.
  6. Click
    Import
    .

Importing a certificate chain file for the gtmd agent

Before importing a certificate chain file for the gtmd agent, ensure that you have the certificate chain file available.
Replace the existing certificate file on the system with a certificate chain file.
Perform these steps on only one BIG-IP DNS in a BIG-IP DNS synchronization group. The system automatically synchronizes the setting with the other systems in the group.
  1. On the Main tab, click
    DNS
    GSLB
    Servers
    Trusted Server Certificates
    .
    The Trusted Server Certificates screen opens.
  2. Click
    Import
    .
  3. From the
    Import Method
    list, select
    Replace
    .
  4. For the
    Certificate Source
    setting, select
    Upload File
    and browse to select the device certificate for the last CA in the certificate chain.
  5. Click
    Import
    .

Importing a certificate chain for the big3d agent

Before importing a certificate chain for the big3d agent, ensure that the certificate chain file is available.
Perform these steps on all BIG-IP systems that you want to configure for certificate chain SSL authentication.
  1. On the Main tab, click
    System
    Device Certificates
    Trusted Device Certificates
    .
    The Trusted Device Certificates screen opens.
  2. Click
    Import
    .
  3. From the
    Import Method
    list, select
    Replace
    .
  4. For the
    Certificate Source
    setting, select
    Upload File
    and browse to select the certificate chain file.
  5. Click
    Import
    .

Verifying the certificate chain exchange

You can verify that you installed the certificate chain correctly running the following commands on all the systems you configure for certificate chain SSL authentication.
iqdump <IP address of BIG-IP system you are testing> iqdump <IP address of BIG-IP peer system, if testing a redundant system configuration>
If the certificate chain was installed correctly, these commands display a continuous stream of information.

Implementation result

The BIG-IP systems are now configured for certificate chain SSL authentication. For information about troubleshooting BIG-IP device certificates, see SOL8187 on AskF5.com (
www.askf5.com
).