Forum Discussion
2 Replies
Sort By
- eneRCirrostratus
Hi,
in the F5 GUI go to Main --> System --> Device Certificates and import/replace the existing certificate with your one of you company.
Hi,
the default cert has a common name of localhost.localdomain and as eneR already pointed out it is best practice to replace it by a cert issued for the device specific hostname. The cert can be self signed or signed by a certificate authority. If you let it sign by a CA make sure they leave the certificate purpose as it is (both client and server cert). In case you have (an) intermediate CA(s) involved and your clients trust the root only it would be required to import the intermediate CA or chain as well. This has to be done on CLI after copying your chain to /config/httpd/conf/ssl.crt/intermediate_ca.crt:chmod 0644 /config/httpd/conf/ssl.crt/intermediate_ca.crt tmsh modify / sys httpd ssl-certchainfile /etc/httpd/conf/ssl.crt/intermediate_ca.crt bigstart restart httpd
Certs are generally stored in PEM format. Be very careful if you plan to deploy GTM or LinkController. The syncgroup trust is based on the device certs and the purpose attributes (client/server) and chain of trust are mandatory.
Thanks, Stephan