BIG-IP DNS and LTM - Certificate Trust

Question

Hey all,&nbsp;
Big-IP DNS - has  signed device cert by private CA.&nbsp;
Big-IP LTM - has  signed device cert by private CA. &nbsp;
Big-IP DNS - when configuring GSLB Servers and adding LTMs then running bigip_add on DNS box to form trust with the added LTMs - never turn GREEN. /var/log/gtm showing cert validation errors. When I look at the Trusted Cert - I see that each box has each others cert inside trusted certificate. &nbsp;
The fix seems to be - when I add the entire chain in device certificates on DNS device (not just the cert) but the device cert / intermediate cert / ca certs all together - I can then get connection and GREEN status between the DNS and LTMs. &nbsp;
BUT - now I see the CA cert as part of the trusted certs inside both LTM and also inside DNS boxes. Wouldn't that be possible TRUST issue that anyone with a CA cert would be trusted? &nbsp;
Running 13.x code - any good documentation that covers this and validation IF I need entire chain would be helpful. &nbsp;
Thanks for feedback!&nbsp;

philip_jonsson · Answer

There seem to be a lot of stuff you need to verify in order to get a third-party CA certificate to work. Have you gone through the following SOL?&nbsp;
https://support.f5.com/csp/article/K7717&nbsp;

Forum Discussion

BIG-IP DNS and LTM - Certificate Trust

1 Reply

Recent Discussions

preserve client IP on layer 4 VIP

Failed to convert character dclid=%EDclid!

ASM - Parent policy vs OWASPcompliance

Rewrite uri translation not working

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

Related Content

Zero Trust building blocks - Leverage Microsoft Intune endpoint Compliance with F5 BIG-IP APM Access

Zero Trust building blocks - F5 BIG-IP Access Policy Manager (APM) and PingIdentity

Re: Becoming F5 Certified - BIG-IP Administrator Certification - 101 & 201 Exams

Re: Get Started with BIG-IP Virtual Edition (VE), BIG-IQ VE or BIG-IP Cloud Edition Trial

Trust your CDN, but not completely