Forum Discussion

Magnum_IP's avatar
Icon for Nimbostratus rankNimbostratus
Jun 08, 2011

Certificate removed from ca-bundle between 10.2.0 and 10.2.1

This may be the wrong topic group for this one, if so apologies and please advise...



I was recently involved in an upgrade from 10.2.0 to 10.2.1. After upgrading we had issues with an HTTPS Virtual Server, connections were being reset. To cut a long story short it was due to the 'VeriSign Class 3 Public Primary Certification Authority - G5' certificate being removed from the ca-bundle in 10.2.1.



A bit of googling uncovered an f5 Known Issue doc ( which states the cert was removed but there is not really enough detail there for me to really understand why.



My client has purchased a certificate signed by this CA cert, should I or should I not be importing it into the BIG-IP and assigning it to the Virtual Servers Client SSL Profile to get things back up and working? Has my client purchased the wrong kind of certificate?








4 Replies

  • what is your verisign certificate product e.g. secure site, secure site pro, etc?



    verisign new intermediate certificate should have two certificates; one is secondary and the other one is primary. the secondary is on top of the file.




    also, this is installation checker

  • Here is the certificate hierarchy...


    VeriSign Class 3 Public Primary Certification Authority - G5


    VeriSign Class 3 International Server CA - G3





    My client had an initial certificate which they renewed, the renewal was signed by with the G3 and G5 certs.



    The G5 cert was in the ca-bundle up until we upgraded to 10.2.1 - not sure why f5 have removed it if VeriSign are signing certificates with it. Any clues?





  • If you look at the top of the ca-bundle.crt file, they list where they get the updates:



    This is a bundle of X.509 certificates of public Certificate


    Authorities. It was generated from the Mozilla root CA list.



    Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt



    Generated from certdata.txt RCS revision 1.56




    You can download updated CA-Bundles here:



    That might be a good place to start investigating why it was removed, but you can also add it back in if you like. It is just a collection of the most common root certificates.



    Hope this helps.
  • r u using client certificate authentication?



    bug id 338848 is about bigip not sending all intermediate certificates to client which leads to certificate warning message on browser. i don't think connection is reseted.