Forum Discussion

computerli's avatar
computerli
Icon for Altostratus rankAltostratus
May 11, 2018

Update device certificate

I originally configured the device certificate using "self" option and also created the Device trust using this self issued certificate on active/standby units.

 

My company recently implemented new policy, disallowing all self issued certificates. I installed new device certificate (issued by internal CA) and certificate looks good.

 

Now when I go to Device Management ›› Device Trust : Local Domain (Version 13.1), under CA Certificate, it shows the "Expiration" date not matching my new certificate or root authority

 

What is CA certificate (under Device Management ›› Device Trust : Local Domain) and what kind of information is displayed here? Is this information linked to device certificate ?

 

3 Replies

  • Anoop's avatar
    Anoop
    Icon for Nimbostratus rankNimbostratus

    Under Device Management ›› Device Trust : Local Domain you would see dtca.crt which is the CA root certificate for the trust network. Same can be found at /config/ssl/ssl.crt/dtca.crt from command line. BIG-IP systems use the trust architecture to provide a secure framework for configuration synchronization (ConfigSync) and other high availability (HA) features, such as failover for BIG-IP device groups. When the device group components are properly defined, the device group members establish a secure communication channel using SSL certificates to accommodate device group communication and synchronization. You can visit https://support.f5.com/csp/article/K15664ui more more details

     

  • Thanks Anoop for the description, I understand the benefit of certificate and its usage during communications. My question is specifically related to CA certificate.

     

    What is CA certificate (under Device Management ›› Device Trust : Local Domain) and what kind of information is displayed here? Is this information linked to device certificate ?

     

  • Hello dtn,

     

    You have to change your device certificate. Your new certificate have to be signed by your Internal CA. Please follow this steps:

     

    • Go to Certificate Management : Device Certificate Management : Device Certificate.
    • Then click in Renew
    • In issuer select "Certificate Autority"
    • Then click on Finished

    You will obtain an CSR that you will provide to your Internal CA Admin, Once signed, just import it to the same place.

     

    After what your cert it will be signed by your internal CA and you will no longer have a certificate error or blocking by your policy.

     

    For information, under Device Management ›› Device Trust : Local Domain CA certificate is used for the HA part. it is not there that you manage the ssl certificate of the device.

     

    Keep me in touch if it's ok for you or if you need additional assisance.

     

    Regards