Forum Discussion

Magnum_IP's avatar
Magnum_IP
Icon for Nimbostratus rankNimbostratus
Jun 08, 2011

Certificate removed from ca-bundle between 10.2.0 and 10.2.1

This may be the wrong topic group for this one, if so apologies and please advise...

 

 

I was recently involved in an upgrade from 10.2.0 to 10.2.1. After upgrading we had issues with an HTTPS Virtual Server, connections were being reset. To cut a long story short it was due to the 'VeriSign Class 3 Public Primary Certification Authority - G5' certificate being removed from the ca-bundle in 10.2.1.

 

 

A bit of googling uncovered an f5 Known Issue doc (http://support.f5.com/kb/en-us/solutions/public/12000/700/sol12753.html) which states the cert was removed but there is not really enough detail there for me to really understand why.

 

 

My client has purchased a certificate signed by this CA cert, should I or should I not be importing it into the BIG-IP and assigning it to the Virtual Servers Client SSL Profile to get things back up and working? Has my client purchased the wrong kind of certificate?

 

 

Regards,

 

 

fergu5

 

config
design
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jun 08, 2011
    what is your verisign certificate product e.g. secure site, secure site pro, etc?

     

     

    verisign new intermediate certificate should have two certificates; one is secondary and the other one is primary. the secondary is on top of the file.

     

    https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=SO14649

     

     

    also, this is installation checker

     

    https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR1130&actp=LIST&viewlocale=en_US
  • Magnum_IP's avatar
    Magnum_IP
    Icon for Nimbostratus rankNimbostratus
    Jun 10, 2011

    Here is the certificate hierarchy...

     

    VeriSign Class 3 Public Primary Certification Authority - G5

     

    VeriSign Class 3 International Server CA - G3

     

    mydomain.com

     

     

     

    My client had an initial certificate which they renewed, the renewal was signed by with the G3 and G5 certs.

     

     

    The G5 cert was in the ca-bundle up until we upgraded to 10.2.1 - not sure why f5 have removed it if VeriSign are signing certificates with it. Any clues?

     

     

    fergu5

     

  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Jun 10, 2011
    If you look at the top of the ca-bundle.crt file, they list where they get the updates:

     

     

    This is a bundle of X.509 certificates of public Certificate

     

    Authorities. It was generated from the Mozilla root CA list.

     

     

    Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt

     

     

    Generated from certdata.txt RCS revision 1.56

     

     

     

    You can download updated CA-Bundles here: http://curl.haxx.se/docs/caextract.html

     

     

    That might be a good place to start investigating why it was removed, but you can also add it back in if you like. It is just a collection of the most common root certificates.

     

     

    Hope this helps.
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jun 11, 2011
    r u using client certificate authentication?

     

     

    bug id 338848 is about bigip not sending all intermediate certificates to client which leads to certificate warning message on browser. i don't think connection is reseted.