Forum Discussion
CirrostratusChanging the Managment Login to Port 636
Typically, when you enable the "SSL Check Peer" option (which essentially tells the BIG-IP to verify the chain of trust of the LDAPS server certificate), then for the "SSL CA Certificate" option, you should select a Root CA certificate / bundle that is able to chain back from the LDAPS server certificate.
If the SSL certificate on the LDAPS server is signed by a public certificate authority (e.g. Digicert, Sectigo), then you should be able to just select the pre-installed "ca-bundle.crt" (as it contains the root CA certificates of the most popular public CAs). However, if the SSL certificate on the LDAPS server is signed by your own internal CA or is self signed, then you should upload the corresponding internal Root CA / self signed certificate to the BIG-IP and then select that for the "SSL CA Certificate" option.
CirrostratusThanks for the answer on SSL Peer Check.
One last question login works wether i have chosen a SSL CA Certificate or Left it as none. To me I would have to choose a Cert?
Typically, when you enable the "SSL Check Peer" option (which essentially tells the BIG-IP to verify the chain of trust of the LDAPS server certificate), then for the "SSL CA Certificate" option, you should select a Root CA certificate / bundle that is able to chain back from the LDAPS server certificate.
If the SSL certificate on the LDAPS server is signed by a public certificate authority (e.g. Digicert, Sectigo), then you should be able to just select the pre-installed "ca-bundle.crt" (as it contains the root CA certificates of the most popular public CAs). However, if the SSL certificate on the LDAPS server is signed by your own internal CA or is self signed, then you should upload the corresponding internal Root CA / self signed certificate to the BIG-IP and then select that for the "SSL CA Certificate" option.
