DSC and trust creation
Hi,
Probably trivial and not so important but I am not so good is SSL stuff and still curious how it works.
Before creating HA we have two (or more) Standalone LTMs (ltm_A and ltm_B). Each one has its own CA and its own its own identity certificate signed by own CA.
Then we are adding ltm_B as peer from ltm_A. What exactly is happening here?
-
Is standard SSL handshake with client authentication performed? So ltm_B is sending it's identity cert (as server) and ltm_A sending its identity cert as client?
-
If so how validity of certs is performed - each identity cert is signed by different CA (local to each ltm)
-
Or ltm_a is sending it's CA cert and key to ltm_B first - a bit strange concerning security but maybe it's based only on user and password used when adding another ltm?
-
I can see that after adding to Trust Domain both LTMs have same cert (identical Serial Number for CA certs) listed in Device Trust : Local Domain
-
Then ltm_B is generating new identity cert using passed CA info - because both are usin same CA for signing Identity cert then it's CA check is passed, or ltm_A is receiving CSR from ltm_B and is signing it like any other CA and then it can trust cert presented by ltm_B?
Or maybe it's done some other way?
If it's more or less like that what is difference when adding other LTM as peer and as Subordinate - only that peer is working as CA for other LTMs and Subordinate can't in fact be used to add another LTM because it is not CA and can't sign another LTM certificate?
Piotr