Forum Discussion

Thomas_Schaefer's avatar
Icon for Nimbostratus rankNimbostratus
Oct 12, 2011

Check validity of CA for a server SSL cert

Here is the scenario...I use a BigIP to do ALL SSL processing both inbound and outbound as my back-end system does not support SSL very well. The way I make a call to an external web resource via SSL is to use a SERVERSSL connection, but instead of the node being behind the BigIP, the node is a server across the Internet. Just like an SSL proxy but in reverse.



So, here is my issue...I need to verify the CA that issued the cert is valid. If I go to Google via https, I need to make sure there cert was valid versus just that the CA looks reads back as Google as that could be spoofed (I may be wrong but what stops someone from running a CA and saying they are Google or Verisign). What I need to happen is that when the BigIP looks at the cert, it tells me if the cert is valid or not. I may not understand this right, but I saw an example in DevCentral that simply checked that the name of the Issuer was Verisign. It seems like the hash would need to be compared.



My real goal is to be able to dynamically have my app tell an iRule if I care if the CA is valid and thus the cert is valid. Note I see how I can check the valid dates and the issuer but I need that last piece to have the BigIP tell me the CA looks ok versus self-signed. Is there a way to do that?



Thanks as always,



Tom Schaefer


1 Reply

  • doesn't Trusted Certificate Authorities setting e.g. ca-bundle.crt in serverssl profile work?



    sol11220: Overview of the Server SSL profile