For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

hussy52's avatar
hussy52
Icon for Nimbostratus rankNimbostratus
Oct 09, 2025

What Certificates should be where? GSLB Trust Certificates vs Device Trusted Certificates

Hi All,

My setup consists of two DC's with Two GTM's (Active/Standby) and Two LTM's (Active/Standby) in each DC. Within the GSLB Trusted Certificate Store, there are certs for each others devices, which I believe is the correct setup. (Each device has 8 certs, of its other devices)…

However I am not sure about what should be in the "System - Certificate Management - Device Certificate Management - Device Trust Certificates store. (This is a bit of a mess, some devices have each others, some don't etc. Would like to have this cleaned up.

 

For ease of description will refer to items as the following : - 

DC1GTMA - DC1 Active GTM

DC1GTMS - DC1 Standby GTM

DC1LTMA  - DC1 Active LTM

DC1LTMS - DC1 Standby LTM

 

DC2GTMA - DC2 Active GTM

DC2GTMS - DC2 Standby GTM

DC2LTMA - DC2 Active LTM

DC2LTMS - DC2 Standby LTM

 

The four GTM's are in a device sync group "DNS - Settings - GSLB - General"...so when you make a change on one GTM, its replicated across all of them. Would this come under IQUERY and thus come under the GSLB Trusted Certificate store, or is this under the Device Trust Store?

 

Hope the above makes sense.

 

Thanks

certificate
certificates
device certificate
gslb

2 Replies

  • Paulius's avatar
    Paulius
    Icon for MVP rankMVP
    Oct 10, 2025

    First, iQuery is used between the GTM and devices that it wants to gather resource information for. Second, I believe these certs are where they need to be and you shouldn't have to worry about their respective locations. Finally, your GTM HA configuration is a bit much since GTMs are inherently redundant and adding the additional active/standby configuration is a bit of overkill. I would keep the standby GTMs at each site in a storage cabinet somewhere and if your other GTMs ever fail you can swap them out. The LTMs I would leave as is because that is the ideal HA setup for them. Alternatively, if F5 lets you, you can send the standby GTMs back and get a refund because they really aren't necessary. If they don't give you a refund you can install them at 2 other sites and have 4 GTMs worth of redundancy across 4 locations or as I said earlier put them in storage and have them as backups if your live GTM at that respective location.

  • hussy52's avatar
    hussy52
    Icon for Nimbostratus rankNimbostratus
    Oct 10, 2025

    Hi,


    Thanks for the above, I can see the sense on the need for just one GTM, but its in, and I don't think I will get much traction with regards to refunds etc, so I will just let it be, but your points are valid. 

     

    There was more to my post, but for a reason or another it didn't post, so here's another go. I wanted to share, the certs I had in "System - Certificate Management - Device Certificate Management - Device Trust Certificates" as some devices have some certs and its not looking equal so wanted your thoughts on this.

     

    DC1GTMA - has the following certs in its store : -

    • Itself (is this required, can I remove it?)
    • DC1GTMS
    • DC2GTMA
    • DC2GTMS

    DC1GTMS - has the following certs in its store : -

    • Itself is missing? (Required?)
    • DC1GTMS
    • DC2GTMA
    • DC2GTMS

    DC1LTMA- has the following certs in its store : -

    • DC1GTMA
    • DC1GTMS
    • DC2GTMA
    • DC2GTMS
    • Missing DC1LTMS (Do I need it here?)
    • Missing DC2LTMA (Do I need it here?)
    • Missing DC2LTMS (Do I need it here?)

    DC1LTMS - has the following certs in its store : -

    • DC1GTMA
    • DC1GTMS
    • DC2GTMA
    • DC2GTMS
    • Missing DC1LTMA (Do I need it here?)
    • Missing DC2LTMA (Do I need it here?)
    • Missing DC2LTMS (Do I need it here?)

     

    DC2GTMA - has the following certs in its store : -

    • Itself (is this required, can I remove it?)
    • DC2GTMS
    • Missing DC1GTMA (Do I need it here?)
    • DC1GTMS

     

    DC2GTMS - has the following certs in its store : -

    • Itself (is this required, can I remove it?)
    • DC2GTMA
    • Missing DC1GTMA (Do I need it here?)
    • DC1GTMS

    DC2LTMA - has the following certs in its store : -

    • Missing Itself (Do I need it here?)
    • Missing DC2LTMS (Do I need it here?)
    • DC1GTMA
    • DC1GTMS
    • DC2GTMA
    • DC2GTMS

    DC2LTMS - has the following in certs in its store : - 

    • Missing Itself (Do I need it here?)
    • Missing DC2LTMA (Do I need it here?)
    • DC1GTMA
    • DC1GTMS
    • DC2GTMA
    • DC2GTMS

     

    Forgive me for the detail, but hoping it makes things easier to grasp. I have put a comment where I am not sure, but if you think, I can make this simpler, please do comment inline, and advise if this list on the devices can be cleaned up.

     

    Thank You