Forum Discussion
why the device certificate verify failed when the device certificate is not expired?
- Jan 10, 2025
Hello Herman2024 GTM iquery depends upon valid certificates. This reference article Overview of BIG-IP device certificates (11.x - 16.x) will go into details for Trusted Device Certificates as well as Trusted Server Certificates (DNS).
Device Cert Location ---> “Configuration Utility: Device Certificates” (System > Certificate Management > Device Certificate Management > Device Certificate | Device Key
DNS Server Cert Location ---> ” (DNS > GSLB > Servers > Trusted Server Certificates)
Check these stores and ensure there aren't any expired certifications etc.
hi Jeffrey_Granier , thanks for your kind advice! can I ask last question : should I remove all expired device trust certificates on the local F5? the remote f5 renewed the device certificate recently. thanks in advance!
- Jeffrey_GranierJan 16, 2025
Employee
Hi Herman2024 Before you remove anything please ensure you have a backup/archive of each system saved locally and offline. We do have a KB article on cert cleanup on DNS systems: Identify Duplicate and Expired SSL Certificates for BIG-IP DNS/GTM. Before you remove any expired certificates make sure all of your DNS devices have no sync issues and iquery is in a good state. This KB article has good advice on maintaining state. Troubleshooting BIG-IP DNS synchronization and iQuery connections (13.x - 17.x)
From a high level when working with expired certificates on a GTM/DNS systems and if iQuery is in a bad state:
You would do the following ( In a maintenance window)
Delete expired certs from DNS ›› GSLB : Servers : Trusted Server Certificates
&
System ›› Certificate Management : Device Certificate Management : Device Trust Certificates
Renewed self-signed certsRun bigip_add <LTMs> and gtm_add <GTMs>
- Herman2024Jan 24, 2025
Cirrostratus
hi Jeffrey_Granier , thanks for your advice. I have one more question on client certificates and iquery. I checked the client certificates on all our gtm and ltm , and found that the device certificate of ltm is not in the "Device Trust Certificate" list (client cert), only saw the gtm device certificates are in the "Device Trust Certificate" list on ltm. Is it correct? Another finding is duplicate client certificate in "Device Trust Certificate" list? Is it because someone did run bidip_add twice? Please advise, thanks in advance!
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com