Applies To:
Show Versions
BIG-IP GTM
- 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Overview: Authenticating with SSL certificates signed by a third party
BIG-IP systems use Secure Sockets Layer (SSL) authentication to verify the authenticity of the credentials of systems with which data exchange is necessary.
BIG-IP software includes a self-signed SSL certificate. If your network includes one or more certificate authority (CA) servers, you can also install SSL certificates that are signed by a third party. The BIG-IP systems exchange SSL certificates, and use a CA server to verify the authenticity of the certificates.
The big3d agent on all BIG-IP systems and the gtmd agent on BIG-IP Global Traffic Manager (GTM) systems use the certificates to authenticate communication between the systems.
About SSL authentication levels
SSL supports ten levels of authentication (also known as certificate depth):
- Level 0 certificates (self-signed certificates) are verified by the system to which they belong.
- Level 1 certificates are authenticated by a CA server that is separate from the system.
- Levels 2 - 9 certificates are authenticated by additional CA servers that verify the authenticity of other servers. These multiple levels of authentication (referred to as certificate chains) allow for a tiered verification system that ensures that only authorized communications occur between servers.
Configuring Level 1 SSL authentication
You can configure BIG-IP systems for Level 1 SSL authentication. Before you begin, ensure that the systems you are configuring include the following:
- A signed certificate/key pair.
- The root certificate from the CA server.
Task Summary
Importing the device certificate
Importing the root certificate for the gtmd agent
Importing the root certificate for the big3d agent
Verifying the certificate exchange
Configuring certificate chain SSL authentication
You can configure BIG-IP systems for certificate chain SSL authentication.
Task Summary
Creating a certificate chain file
- Using a text editor, create an empty file for the certificate chain.
- Still using a text editor, copy an individual certificate from its own certificate file and paste the certificate into the file you created in step 1.
- Repeat step 2 for each certificate that you want to include in the certificate chain.