BIG-IP DNS and LTM - Certificate Trust

Question

Hey all,&nbsp;
Big-IP DNS - has  signed device cert by private CA.&nbsp;
Big-IP LTM - has  signed device cert by private CA. &nbsp;
Big-IP DNS - when configuring GSLB Servers and adding LTMs then running bigip_add on DNS box to form trust with the added LTMs - never turn GREEN. /var/log/gtm showing cert validation errors. When I look at the Trusted Cert - I see that each box has each others cert inside trusted certificate. &nbsp;
The fix seems to be - when I add the entire chain in device certificates on DNS device (not just the cert) but the device cert / intermediate cert / ca certs all together - I can then get connection and GREEN status between the DNS and LTMs. &nbsp;
BUT - now I see the CA cert as part of the trusted certs inside both LTM and also inside DNS boxes. Wouldn't that be possible TRUST issue that anyone with a CA cert would be trusted? &nbsp;
Running 13.x code - any good documentation that covers this and validation IF I need entire chain would be helpful. &nbsp;
Thanks for feedback!&nbsp;

philip_jonsson · Answer

There seem to be a lot of stuff you need to verify in order to get a third-party CA certificate to work. Have you gone through the following SOL?&nbsp;
https://support.f5.com/csp/article/K7717&nbsp;

Forum Discussion

BIG-IP DNS and LTM - Certificate Trust

Recent Discussions

How to Renew F5 Device Certificate

UCS backup not loading Big IP DNS pool

XC Bot defense question

Big-IP not recognized by Big-IQ

Application only need to access from 2 uris

Related Content

Help F5 Transform the BIG-IP Administrator Certification

Updating SSL Certificates on BIG-IP using REST API

BIG-IP Next: iRules pool routing

BIG-IP Next Automation: AS3 Basics

Re: Get Started with BIG-IP Virtual Edition (VE), BIG-IQ VE or BIG-IP Cloud Edition Trial

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS