Setting up certificates for F5 Networks BIG-IP systems

You must set up the device certificate on the F5 Networks BIG-IP system before you can connect using Zero Trust Privileged Access Service.

Once the F5 Networks BIG-IP system is configured, the same certificate must also be trusted in all Centrify Connector systems that are connected to the F5 Networks BIG-IP system. In most cases, F5 Networks BIG-IP systems should use a certificate obtained from an Enterprise Certificate Authority (CA), or a trusted external CA, like VeriSign. Since the certificate is trusted already, it simplifies the certificate setup on Centrify Connector systems. You can also export the certificate from the F5 Networks BIG-IP system and import it into all systems running the Centrify Connector. Self-signed certificates should not be used in production environments.

Verifying certificate configuration

To verify that the certificate is trusted in the Centrify Connector, connect to the F5 Networks BIG-IP Web UI ("https://<hostname/IP Address>:<management port>") using a browser and verify that the connection is secure. If the connection is secure, the SSL/TLS secure management channel is established.

If an error occurs while establishing the SSL connection, review the supported SSL/TLS protocol versions and cipher suites.

If an error occurs indicating that the server certificate cannot be validated, check the connector and target certificate settings, including root CA, subject names, and validity.

For more information about password and system management for F5 Networks BIG-IP systems, see the following topics: