Forum Discussion

aldrinstephengomes's avatar
Icon for Nimbostratus rankNimbostratus
Jun 25, 2023

Can I deployed a machine certificate in network load balancer?

Hi all,

This is Aldrin Stephen Gomes form Bangladesh. I want to use a CA machine certificate in load balancer. Is it possible to use a machine certificate in load balancer...??? N/B: it will be CA machine certificate, not SSL certificate. I hope anyone have a better knowledge in this part & they can help me to find out the solutions...!!!

Thank you

Aldrin Stephen Gomes.

9 Replies

  • Im going to be a little harsh here perhaps, but the term you use doesn't exist. You can call it CA machine certificate, but it is better to find out how the rest of the world calls them.

    Every certificate is a SSL certificate, sure you have client, server, (intermediate) CA certificates, but they are all SSL. You even say it comes from a Trusted Certifying Authority which points to SSL.

    Mohamed_Ahmed_Kansoh suggests the device certificate, which is again nothing more then a client/server SSL certificate but used for management access and BIG-IP to BIG-IP communication.

    Will you be using the certificate for management or for traffic through the BIG-IP?

    • Hi boneyard , 

      Yes I expected that he is asking for Device certificate specially he mentioned it's comming from CA , So may he asking for Device Cert itself which he calls it machine certificate. 

      That's my expectation... 

      Thanks boneyard 

    • CA_Valli's avatar
      Icon for MVP rankMVP

      I very much agree with other MVP's, we need to understand the scope better.

      aldrinstephengomes - you're saying that you'll be installing a Trusted certificate that was signed by your Root CA. This is not the RootCA certificate, and it comes wiuthout a key. 

      - While it's possible to store certificates in this way on the BIG-IP, please understand that traffic decryption will not be possible if F5 doesn't have the certificate key. 

      - It's common practice to store certificates this way if you want to build a Certificate Chain on the BIG-IP. This will enable clients to verify that the server certificate and all CA's are trustworthy. Usually, in this setup, F5 is using a certificate+key pair that's signed by the last CA in the chain to decrypt SSL traffic. 


    • aldrinstephengomes's avatar
      Icon for Nimbostratus rankNimbostratus

      Hi @Mohamed_Ahmed_Kansoh

      Yes sure, that will be a certificate which will be generated from Trusted Certifying Authority & I want to deployed it in Load balancer hardware port. The machanism will be without privet key another component cannot communicate with load balancer. Hope ill get a solution...!!


      Aldrin Stephen Gomes