Client SSL Profile Chain

Question

Hello all,&nbsp;
&nbsp;Scenario: BIP-IP version 9.4.4. New VS, x.x.x.x:443. SSL termination on f5 using Client SSL profile. I created a self signed SSL certificate on the f5 and this was issued by our own Certificate Services. I downloaded the certificate / key and, seperately, the certificate chain to the f5 (Local Traffic - SSL certificates). In a new Client SSL profile I associated the certificate and key and also, in the Chain bit, referenced the chain I downloaded. When users connected to the VS the connection would time out and never get to the website. The fix was to change the chain to None. The website then worked, allbeit with a certificate error as the issuer isn't trusted.&nbsp;
&nbsp;Also, using tcpdump I could see the 3way handshake complete.&nbsp;
&nbsp;My hope / desire was the self signed certificate would be trusted by anyone 
connecting to the VS because it would download the Chain to their 
client - as specified in the ssl client profile, saving them a prompt to "continue to the website".&nbsp;
&nbsp;Have I misunderstood the use of the Chain setting? Or have I misconfigured something my end?&nbsp;
&nbsp;Any help greatly appreciated.&nbsp;
&nbsp;N&nbsp;

hamish · Answer

A chain certificate (Or chain list) is only alink between the site certificate being presented, and a trusted certificate in your browser... Presenting the same cert as site and chain simply means nothing more than just presenting the cert itself. You still don't have a chain of trust to follow. 
&nbsp;  
&nbsp; To have a SS cert trusted, you have to install the SS cert into the CA cert list of a browser. WHich is a pain if you have a lot of them. Other options are to generate a local CA cert and install that as a CA cert in your browsers, and then use that to sign the certs you're generating... But that means you have to run a CA repository... And that means extra security, management etc...  
&nbsp;  
&nbsp; YMMV whether it's worth it or not. 
&nbsp;  
&nbsp; H

nathe · Answer

Hamish 
&nbsp;  
&nbsp; Thanks for clearing that up. It's only going to be a few external clients connecting so I'll ask them to install the cert manually. 
&nbsp;  
&nbsp;  
&nbsp; Rgds 
&nbsp; N

Forum Discussion

Client SSL Profile Chain

2 Replies

AppWorld Berlin 2026 – iRules Contest Winning Results

One Quick Step to Make your website AI-Agent/MCP Ready with an iRule

IPv8 Would Fix My Routing Tables. It Will Never Ship.

Recent Discussions

How to Verify config before loading to F5

Errors with AS3 3.56.0 with F5 17.5.1.6

syslog over tcp and define management IP as source

VIP control across data centers - how to ensure only 1 VIP is up at a time?

migrate from serie I to R. Cluster LTM-GTM

Related Content

Post-Quantum Cryptography, OpenSSH, & s1ngularity supply chain attack

JavaScript Supply Chains, Magecart, and F5 XC Client-Side Defense (Demo)

SSL Profiles Part 8: Client Authentication

SSL Profiles Part 3: Certificate Chain Implementation

Use F5 Distributed Cloud to service chain WAAP and CDN

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS