Forum Discussion

Cirrostratus

Feb 14, 2025

Solved

Changing the Managment Login to Port 636

Good Morning, So changing my auth for managing my LTMs from Port 389 to Secure port 636. First Step enabled SSL Tested login works it's encrypted over TLS 2 question is about enabling t...

application delivery

Michael_Saleem
Feb 14, 2025
Typically, when you enable the "SSL Check Peer" option (which essentially tells the BIG-IP to verify the chain of trust of the LDAPS server certificate), then for the "SSL CA Certificate" option, you should select a Root CA certificate / bundle that is able to chain back from the LDAPS server certificate.

If the SSL certificate on the LDAPS server is signed by a public certificate authority (e.g. Digicert, Sectigo), then you should be able to just select the pre-installed "ca-bundle.crt" (as it contains the root CA certificates of the most popular public CAs). However, if the SSL certificate on the LDAPS server is signed by your own internal CA or is self signed, then you should upload the corresponding internal Root CA / self signed certificate to the BIG-IP and then select that for the "SSL CA Certificate" option.

Michael_Saleem

MVP

Feb 14, 2025

Hi Brandon,

SSL Check Peer determines whether or not you want the F5 BIG-IP (acting as the SSL client) to verify the SSL certificate of the LDAP server.

SSL Check Peer

Specifies whether the system checks an SSL peer, as a result of which the system requires and verifies the server certificate. The default value is disabled.

Brandon
Cirrostratus
Feb 14, 2025
Thanks for the answer on SSL Peer Check.
One last question login works wether i have chosen a SSL CA Certificate or Left it as none. To me I would have to choose a Cert?
- Michael_Saleem
  MVP
  Feb 14, 2025
  Typically, when you enable the "SSL Check Peer" option (which essentially tells the BIG-IP to verify the chain of trust of the LDAPS server certificate), then for the "SSL CA Certificate" option, you should select a Root CA certificate / bundle that is able to chain back from the LDAPS server certificate.
  
  If the SSL certificate on the LDAPS server is signed by a public certificate authority (e.g. Digicert, Sectigo), then you should be able to just select the pre-installed "ca-bundle.crt" (as it contains the root CA certificates of the most popular public CAs). However, if the SSL certificate on the LDAPS server is signed by your own internal CA or is self signed, then you should upload the corresponding internal Root CA / self signed certificate to the BIG-IP and then select that for the "SSL CA Certificate" option.

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

Changing the Managment Login to Port 636

Security Best Practices for F5 Products

F5 AppWorld 2026 Registration - early bird pricing.

Kostas Injeyan - October 2025 Featured Member

Recent Discussions

df -h /shared file missing

SSO login for APM Profiles

Need Advice on below issue

Virtual Server Configuration requirements for ISO 8583 traffic (Single persistent TCP session)

threat hunting guide

Related Content

Automating Certificate Management on F5 BIG-IP

Automating ACMEv2 Certificate Management on BIG-IP

Announcing F5 NGINX Instance Manager 2.20

iControl REST Authentication Token Management

Introduction to F5 BIG-IP Advanced Firewall Manager (AFM)

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS