hi, I have two questions on device trust certificates (client cert). why there are duplicate certificates on Device Trust Certificate list? I saw duplicate gtm device certificates in LTM devices.is it true that only gtm device certificate is sent to ltm device, and reverse "no" -- no ltm device certificate in gtm Device Trust Certificate list? I checked out gtm and ltm devices for our different regions, no ltm device certificate is on any gtm Device Trust Certificate list. Can someone please help advise, thanks in advance!

Hi Herman2024, If the certificate is the same, you can delete it, but before saving a UCS, duplication could happen in the bigip_add process if it were executed a couple of times, or maybe someone in your company uploaded the certificate after the bigip_add, but it is a little weird. I recommend you generate new self-signed certificates with the name of the hosts for the LTM and GTM devices to avoid generic certificates with the same name.

Forum Discussion

Herman2024

Cirrostratus

Jan 27, 2025

Solved

some questions on device Trust Certificate?

hi, I have two questions on device trust certificates (client cert).

why there are duplicate certificates on Device Trust Certificate list? I saw duplicate gtm device certificates in LTM devices.
is it true that only gtm device certificate is sent to ltm device, and reverse "no" -- no ltm device certificate in gtm Device Trust Certificate list? I checked out gtm and ltm devices for our different regions, no ltm device certificate is on any gtm Device Trust Certificate list.

Can someone please help advise, thanks in advance!

Sebastiansierra
Jan 28, 2025
Hi Herman2024,

If the certificate is the same, you can delete it, but before saving a UCS, duplication could happen in the bigip_add process if it were executed a couple of times, or maybe someone in your company uploaded the certificate after the bigip_add, but it is a little weird. I recommend you generate new self-signed certificates with the name of the hosts for the LTM and GTM devices to avoid generic certificates with the same name.

Sebastiansierra
MVP
Jan 27, 2025
Herman2024,

about your questions:

review the serial number of the certificates. You are probably looking at the certificates from your GTM devices, but the certificate name has never been changed.

The GTM-DNS stores the LTM-GTM certificates in other locations, you have to go to: DNS > GSLB > Servers > Trusted Server Certificates

I hope this answers your questions.
- Herman2024
  Cirrostratus
  Jan 28, 2025
  Hi Sebastiansierra ,thanks a lot for your kind advice. Regarding the question on the duplicate certificates, I have checked the serial numbers of cert, and really there is duplicate cert in Device Trust Certificate list on LTM -- same serial number, and other parameters. Can you please advise the possible cause of duplicate certificates? Thanks in advance!
  - Sebastiansierra
    MVP
    Jan 28, 2025
    Hi Herman2024,
    
    If the certificate is the same, you can delete it, but before saving a UCS, duplication could happen in the bigip_add process if it were executed a couple of times, or maybe someone in your company uploaded the certificate after the bigip_add, but it is a little weird. I recommend you generate new self-signed certificates with the name of the hosts for the LTM and GTM devices to avoid generic certificates with the same name.