Manual Chapter : Authenticating with SSL Certificates Signed by a Third Party

Applies To:

BIG-IP LTM

  • 17.5.1
  • 17.5.0

BIG-IP DNS

  • 17.5.1
  • 17.5.0
back-action BIG-IP DNS: Implementations

Authenticating with SSL Certificates Signed by a Third Party

BIG-IP systems use Secure Sockets Layer (SSL) authentication to verify the authenticity of the credentials of systems with which data exchange is necessary.

BIG-IP software includes a self-signed SSL certificate. If your network includes one or more certificate authority (CA) servers, you can also install SSL certificates that are signed by a third party. The BIG-IP systems exchange SSL certificates, and use a CA server to verify the authenticity of the certificates.

The big3d agent on all BIG-IP systems and the gtmd agent on BIG-IP DNS systems use the certificates to authenticate communication between the systems.

SSL supports ten levels of authentication (also known as certificate depth):

  • Level 0 certificates (self-signed certificates) are verified by the system to which they belong.
  • Level 1 certificates are authenticated by a CA server that is separate from the system.
  • Levels 2 - 9 certificates are authenticated by additional CA servers that verify the authenticity of other servers. These multiple levels of authentication (referred to as certificate chains) allow for a tiered verification system that ensures that only authorized communications occur between servers.

You can configure BIG-IP systems for Level 1 SSL authentication. Before you begin, ensure that the systems you are configuring include the following:

  • A signed certificate/key pair.
  • The root certificate from the CA server.

To configure the BIG-IP system for Level 1 SSL authentication, import the device certificate signed by the CA server.

Note: Perform this procedure on all BIG-IP systems that you want to handle Level 1 SSL authentication.

  1. On the Main tab, click System > Device Certificates.

    The Device Certificate screen opens.

  2. Click Import.

  3. From the Import Type list, select Certificate and Key.

  4. For the Certificate Source setting, select Upload File and browse to select the certificate signed by the CA server.

  5. For the Key Source setting, select Upload File and browse to select the device key file.

  6. Click Import.

Before you start this procedure, ensure that you have the root certificate from your CA server available.

To set up the system to use a third-party certificate signed by a CA server, replace the existing certificate file for the gtmd agent with the root certificate of your CA server.

Note: Perform this procedure on only one BIG-IP DNS system in the BIG-IP DNS synchronization group. The system automatically synchronizes the setting with the other systems in the group.

  1. On the Main tab, click DNS > GSLB > Servers > Trusted Server Certificates.

    The Trusted Server Certificates screen opens.

  2. Click Import.

  3. From the Import Method list, select Replace.

  4. For the Certificate Source setting, select Upload File and browse to select the root certificate file.

  5. Click Import.

Before you start this procedure, ensure that the root certificate from your CA server is available.

Note: Perform this procedure on all BIG-IP systems that you want to configure for Level 1 SSL authentication.

  1. On the Main tab, click System > Device Certificates > Trusted Device Certificates.

    The Trusted Device Certificates screen opens.

  2. Click Import.

  3. From the Import Method list, select Replace.

  4. For the Certificate Source setting, select Upload File and browse to select the certificate signed by the CA server.

  5. Click Import.

You can verify that you installed the certificate correctly, by running the following commands on all BIG-IP systems that you configured for Level 1 SSL authentication.

iqdump <IP address of BIG-IP you are testing>
iqdump <IP address of BIG-IP peer system, if testing a redundant system configuration>

If the certificate was installed correctly, these commands display a continuous stream of information.

The BIG-IP systems are now configured for Level 1 SSL authentication.

You can configure BIG-IP systems for certificate chain SSL authentication.

Before you start this procedure, ensure that you have the certificate files from your CA servers available.

Create a certificate chain file that you can use to replace the existing certificate file.

  1. Using a text editor, create an empty file for the certificate chain.

  2. Still using a text editor, copy an individual certificate from its own certificate file and paste the certificate into the file you created in step 1.

  3. Repeat step 2 for each certificate that you want to include in the certificate chain.

You now have a certificate chain file.

Import the device certificate signed by the last CA in the certificate chain.

Note: Perform this procedure on all BIG-IP systems that you want to configure for certificate chain SSL authentication.

  1. On the Main tab, click System > Device Certificates.

    The Device Certificate screen opens.

  2. Click Import.

  3. From the Import Type list, select Certificate and Key.

  4. For the Certificate Source setting, select Upload File and browse to select the certificate signed by the CA server.

  5. For the Key Source setting, select Upload File and browse to select the device key file.

  6. Click Import.

Before importing a certificate chain file for the gtmd agent, ensure that you have the certificate chain file available.

Replace the existing certificate file on the system with a certificate chain file.

Note: Perform these steps on only one BIG-IP DNS in a BIG-IP DNS synchronization group. The system automatically synchronizes the setting with the other systems in the group.

  1. On the Main tab, click DNS > GSLB > Servers > Trusted Server Certificates.

    The Trusted Server Certificates screen opens.

  2. Click Import.

  3. From the Import Method list, select Replace.

  4. For the Certificate Source setting, select Upload File and browse to select the device certificate for the last CA in the certificate chain.

  5. Click Import.

Before importing a certificate chain for the big3d agent, ensure that the certificate chain file is available.

Note: Perform these steps on all BIG-IP systems that you want to configure for certificate chain SSL authentication.

  1. On the Main tab, click System > Device Certificates > Trusted Device Certificates.

    The Trusted Device Certificates screen opens.

  2. Click Import.

  3. From the Import Method list, select Replace.

  4. For the Certificate Source setting, select Upload File and browse to select the certificate chain file.

  5. Click Import.

You can verify that you installed the certificate chain correctly running the following commands on all the systems you configure for certificate chain SSL authentication.

iqdump <IP address of BIG-IP system you are testing>
iqdump <IP address of BIG-IP peer system, if testing a redundant system configuration>

If the certificate chain was installed correctly, these commands display a continuous stream of information.

The BIG-IP systems are now configured for certificate chain SSL authentication. For information about troubleshooting BIG-IP device certificates, see SOL8187 on AskF5.com (www.askf5.com).