Forum Discussion

Kevin_48708's avatar
Kevin_48708
Icon for Nimbostratus rankNimbostratus
Nov 09, 2011

Can SAN certificates be used for Device certificates?

Hello     I'm attemting to apply 3rd party signed certificates as device certificates on a GTM and LTM deployment.     I have created a trust chain by concatenating the Root and Intermed...
config
design
Kevin_48708's avatar
Kevin_48708
Icon for Nimbostratus rankNimbostratus
Nov 15, 2011
Dear All

 

 

SAN certificates can be used for device certificates.

 

 

There are a few requirements that must be met.

 

 

1. The certificate chain for the root and any intermediate CA certificates must be loaded into the Trusted Device certificates, for use by the big3d daemon.

 

2. The certificate chain for the root and any intermediate CA certificates must be loaded into the Trusted Server Certificates, for use by the gtmd daemon.

 

3. The certificate chain for the root and any intermediate CA certificates needs to be saved into /config/httpd/ssl.crt/ for use by the httpd.

 

4. The httpd daemon then needs to be informed where to find the CA certificate chain.

 

 

Create CA chain

 

If your certs are in .pem format then you can simply cut and paste them into a single file. I'm not sure if the order matters but I put the root CA cert at the top of the file and my intermediate CA below it. If you are familiar with the unix cli command cat you can do this from the command line on the bigip.

 

 

Big3d

 

From the GUI System >>> Device Certificates >>> Trusted Device Certificates >>> Import.

 

At this stage I appended the certificate chain to the existing trusted certificates. You also have the option to replace beware this deletes all the existing trusted device certificates.

 

 

Gtmd

 

From the GUI Global Traffic >>> Servers >>> Trusted Server Certificates >>> Import. the same options to append or replace as with the Big3d process above.

 

 

Httpd

 

Use WinSCP or FileZilla etc to upload the CA certificate chain to /config/httpd/ssl.crt/

 

From tmsh you need to instruct httpd to reference the CA certificate chain:

 

) modify sys httpd ssl-certchainfile /config/httpd/ssl.crt/your_ca_cert_chain.crt

 

Not sure about bigpipe but it's something like:

 

[root@xxx:Active] / b httpd sslcertchainfile /config/httpd/conf/ssl.crt/your_ca_cert_chain.crt

 

 

Repeat this process on other GTMs and LTMs (excluding the gtmd part). restart big3d, gtmd and httpd. Check you results using iqdump.

 

 

Best Regards

 

 

Kevin