Add root CA to ca-bundle?

Yes, you can append certs to the CA bundle, by editing it with a text editor like vi or pico. Or if you already have the new cert on the filesystem, you can use:

 

 

cat newcert.crt >> /config/ssl/ssl.crt/ca-bundle.crt

 

 

However, there does seem to be a Class 3 G2 cert already in the bundle on 9.4.7:

 

 

 

Certificate:

 

Data:

 

Version: 1 (0x0)

 

Serial Number:

 

7d:d9:fe:07:cf:a8:1e:b7:10:79:67:fb:a7:89:34:c6

 

Signature Algorithm: sha1WithRSAEncryption

 

Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized

 

use only, OU=VeriSign Trust Network

 

Validity

 

Not Before: May 18 00:00:00 1998 GMT

 

Not After : Aug 1 23:59:59 2028 GMT

 

Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network

 

Subject Public Key Info:

 

Public Key Algorithm: rsaEncryption

 

RSA Public Key: (1024 bit)

 

Modulus (1024 bit):

 

00:cc:5e:d1:11:5d:5c:69:d0:ab:d3:b9:6a:4c:99:

 

1f:59:98:30:8e:16:85:20:46:6d:47:3f:d4:85:20:

 

84:e1:6d:b3:f8:a4:ed:0c:f1:17:0f:3b:f9:a7:f9:

 

25:d7:c1:cf:84:63:f2:7c:63:cf:a2:47:f2:c6:5b:

 

33:8e:64:40:04:68:c1:80:b9:64:1c:45:77:c7:d8:

 

6e:f5:95:29:3c:50:e8:34:d7:78:1f:a8:ba:6d:43:

 

91:95:8f:45:57:5e:7e:c5:fb:ca:a4:04:eb:ea:97:

 

37:54:30:6f:bb:01:47:32:33:cd:dc:57:9b:64:69:

 

61:f8:9b:1d:1c:89:4f:5c:67

 

Exponent: 65537 (0x10001)

 

Signature Algorithm: sha1WithRSAEncryption

 

51:4d:cd:be:5c:cb:98:19:9c:15:b2:01:39:78:2e:4d:0f:67:

 

70:70:99:c6:10:5a:94:a4:53:4d:54:6d:2b:af:0d:5d:40:8b:

 

64:d3:d7:ee:de:56:61:92:5f:a6:c4:1d:10:61:36:d3:2c:27:

 

3c:e8:29:09:b9:11:64:74:cc:b5:73:9f:1c:48:a9:bc:61:01:

 

ee:e2:17:a6:0c:e3:40:08:3b:0e:e7:eb:44:73:2a:9a:f1:69:

 

92:ef:71:14:c3:39:ac:71:a7:91:09:6f:e4:71:06:b3:ba:59:

 

57:26:79:00:f6:f8:0d:a2:33:30:28:d4:aa:58:a0:9d:9d:69:

 

91:fd

 

MD5 Fingerprint=A2:33:9B:4C:74:78:73:D4:6C:E7:C1:F3:8D:CB:5C:E9

 

 

 

 

Aaron

Thanks Aaron!! I was using a single > instead of double >> and it basically overwrote all of the exisiting certificates, doh!

 

 

I did see that G2 cert in there already, but it has a different serial number then the one specified by VeriSign:

 

http://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html

 

 

In any case, I appended the root CA to the ca-bundle and it's working like a charm.

 

 

Thanks again,

 

Brian

Aaron,

 

I've followed the above instructions and I'm having an issue. I copied the base64 text to a .crt file from the verisign site for an Intermediate CA :

 

Issued to: VeriSign Class 3 International Server CA - G3

 

Issued by: VeriSign Class 3 Public Primary Certification Authority - G5

 

Valid from: 2/7/2010 to 2/7/2020

 

Serial Number: 64 1b e8 20 ce 02 08 13 f3 2d 4d 2d 95 d6 7e 67

 

Ran the cat newIntermediate.crt >> ca-bundle.crt. I went to an SSL Client profile that uses that bundle and hit the Update button. The base64 encoded text is placed at the bottom of the file but there's no descriptive text above the entry. When i use the GUI i don't see the cert listed and it's made no difference to my certificate chain verification testing from Verisign. I figure I'm missing a step in getting the text in to the ca-bundle but i've not found a solution yet.

 

Please let me know if I'm missing something.

 

Thanks

 

Richard

Answering my own question; F5 says the ca-bundle file is only for root CAs not intermediate CAs.

 

To add an intermediate CA cert bundle use this solution:

 

http://support.f5.com/kb/en-us/solutions/public/6000/400/sol6401.html

 

 

Richard

Hi All,

 

 

Two quick questions in relation to adding the intermediate CA bundle to the F5?

 

 

I've followed the instructions for sol6401 but am a bit lost at the part where they go:

 

 

cat intermediateCA_1.crt intermediateCA_2.crt rootCA.crt > chain.crt

 

 

1/ What do I use for the rootCA.crt? I don't see this file in /config/ssl/ssl.crt ??

 

 

2/ The rootCA is suppose to be optional, so I've tried it without using the rootCA but when I run that against the site's crt, I get this error:

 

 

[root] ssl.crt openssl verify -purpose sslserver -CAfile chain.crt mysite.crt

 

mysite.crt: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5

 

error 2 at 2 depth lookup:unable to get issuer certificate

 

 

Does that error message mean anything? I found some other forums where some users just ignored this error and their site still functioned ok.

 

 

Help please...

 

 

Thanks.

 

 

Andy

 

1/ What do I use for the rootCA.crt? I don't see this file in /config/ssl/ssl.crt ??

 

rootCA.crt is root certificate from your CA. you should be able to get it from the CA website.

 

 

2/ The rootCA is suppose to be optional, so I've tried it without the rootCA but when I run that against the site's crt, I get this error:

 

i believe u have to put root certificate in the chain.crt to make openssl verify return OK. anyway, root certificate is not required in chain file (since it must be installed in browser).

1/ What do I use for the rootCA.crt? I don't see this file in /config/ssl/ssl.crt ??

 

rootCA.crt is root certificate from your CA. you should be able to get it from the CA website.

 

 

2/ The rootCA is suppose to be optional, so I've tried it without the rootCA but when I run that against the site's crt, I get this error:

 

i believe u have to put root certificate in the chain.crt to make openssl verify return OK. anyway, root certificate is not required in chain file (since it must be installed in browser).

Thanks, ignored the openssl errors and the ssl certificate is now verified on the web site.