Applies To:
Show VersionsBIG-IP DNS
- 13.0.1, 13.0.0
Overview: Authenticating with SSL certificates signed by a third party
BIG-IP® systems use Secure Sockets Layer (SSL) authentication to verify the authenticity of the credentials of systems with which data exchange is necessary.
BIG-IP software includes a self-signed SSL certificate. If your network includes one or more certificate authority (CA) servers, you can also install SSL certificates that are signed by a third party. The BIG-IP systems exchange SSL certificates, and use a CA server to verify the authenticity of the certificates.
The big3d agent on all BIG-IP systems and the gtmd agent on BIG-IP DNS systems use the certificates to authenticate communication between the systems.
About SSL authentication levels
SSL supports ten levels of authentication (also known as certificate depth):
- Level 0 certificates (self-signed certificates) are verified by the system to which they belong.
- Level 1 certificates are authenticated by a CA server that is separate from the system.
- Levels 2 - 9 certificates are authenticated by additional CA servers that verify the authenticity of other servers. These multiple levels of authentication (referred to as certificate chains) allow for a tiered verification system that ensures that only authorized communications occur between servers.
Configuring Level 1 SSL authentication
You can configure BIG-IP® systems for Level 1 SSL authentication. Before you begin, ensure that the systems you are configuring include the following:
- A signed certificate/key pair.
- The root certificate from the CA server.
Task Summary
Importing the device certificate signed by a CA server
Importing the root certificate for the gtmd agent
Importing the root certificate for the big3d agent
Verifying the certificate exchange
iqdump <IP address of BIG-IP you are testing> iqdump <IP address of BIG-IP peer system, if testing a redundant system configuration>
Implementation Results
The BIG-IP® systems are now configured for Level 1 SSL authentication.
Configuring certificate chain SSL authentication
You can configure BIG-IP® systems for certificate chain SSL authentication.
Task Summary
Creating a certificate chain file
- Using a text editor, create an empty file for the certificate chain.
- Still using a text editor, copy an individual certificate from its own certificate file and paste the certificate into the file you created in step 1.
- Repeat step 2 for each certificate that you want to include in the certificate chain.
Importing the device certificate from the last CA server in the chain
Importing a certificate chain file for the gtmd agent
Importing a certificate chain for the big3d agent
Verifying the certificate chain exchange
iqdump <IP address of BIG-IP system you are testing> iqdump <IP address of BIG-IP peer system, if testing a redundant system configuration>
Implementation result
The BIG-IP® systems are now configured for certificate chain SSL authentication. For information about troubleshooting BIG-IP device certificates, see SOL8187 on AskF5.com (www.askf5.com).