This is Aldrin Stephen Gomes form Bangladesh. I want to use a CA machine certificate in load balancer. Is it possible to use a machine certificate in load balancer...??? N/B: it will be CA machine certificate, not SSL certificate. I hope anyone have a better knowledge in this part & they can help me to find out the solutions...!!!
Yes sure, that will be a certificate which will be generated from Trusted Certifying Authority & I want to deployed it in Load balancer hardware port. The machanism will be without privet key another component cannot communicate with load balancer. Hope ill get a solution...!!
@aldrinstephengomes , Do you mean the management Port of Loadbalancer , this port which you use it to manage your box and navigate F5 loadbalancer GUI , That's correct ?
The prot I meaned I want to deployed a CA certificate in a entair Load balancer device. port will communicate with load balancer if load balancer have a Machine certificate then it will communicate with other components...!!!
@aldrinstephengomes , So you need to change the entire Loadbalancer device certificate.
Loadbalance use this certifiacte in multiple tasks , such as : Accessing GUI of loadbalancer. Exchange device certificates between 2 loadbalancer in DSC / HA Clustering. and more ...
So what I observe now you need to change the Loadbalancer certificate itslef by another CA certificate signed from CA. and this will be Far from the ordinary ssl certificates of the Applications that hosted on loadbalancer.
@aldrinstephengomes Can you provide a bit more information on exactly where you intend to install this SSL certificate? Based on the back and forth I see between yourself and @Mohamed_Ahmed_Kansoh it seems like you want to replace the SSL certificate associated to the management GUI. If you generate an SSL certificate you will also have to have the associated SSL key uploaded to the device for it to work properly.
Im going to be a little harsh here perhaps, but the term you use doesn't exist. You can call it CA machine certificate, but it is better to find out how the rest of the world calls them.
Every certificate is a SSL certificate, sure you have client, server, (intermediate) CA certificates, but they are all SSL. You even say it comes from a Trusted Certifying Authority which points to SSL.
@Mohamed_Ahmed_Kansoh suggests the device certificate, which is again nothing more then a client/server SSL certificate but used for management access and BIG-IP to BIG-IP communication.
Will you be using the certificate for management or for traffic through the BIG-IP?
Yes I expected that he is asking for Device certificate specially he mentioned it's comming from CA , So may he asking for Device Cert itself which he calls it machine certificate.
I very much agree with other MVP's, we need to understand the scope better.
@aldrinstephengomes - you're saying that you'll be installing a Trusted certificate that was signed by your Root CA. This is not the RootCA certificate, and it comes wiuthout a key.
- While it's possible to store certificates in this way on the BIG-IP, please understand that traffic decryption will not be possible if F5 doesn't have the certificate key.
- It's common practice to store certificates this way if you want to build a Certificate Chain on the BIG-IP. This will enable clients to verify that the server certificate and all CA's are trustworthy. Usually, in this setup, F5 is using a certificate+key pair that's signed by the last CA in the chain to decrypt SSL traffic.
