Forum Discussion
nathe
Apr 12, 2011Cirrocumulus
Client SSL Profile Chain
Hello all,
Scenario: BIP-IP version 9.4.4. New VS, x.x.x.x:443. SSL termination on f5 using Client SSL profile. I created a self signed SSL certificate on the f5 and this was issued by our own Certificate Services. I downloaded the certificate / key and, seperately, the certificate chain to the f5 (Local Traffic - SSL certificates). In a new Client SSL profile I associated the certificate and key and also, in the Chain bit, referenced the chain I downloaded. When users connected to the VS the connection would time out and never get to the website. The fix was to change the chain to None. The website then worked, allbeit with a certificate error as the issuer isn't trusted.
Also, using tcpdump I could see the 3way handshake complete.
My hope / desire was the self signed certificate would be trusted by anyone connecting to the VS because it would download the Chain to their client - as specified in the ssl client profile, saving them a prompt to "continue to the website".
Have I misunderstood the use of the Chain setting? Or have I misconfigured something my end?
Any help greatly appreciated.
N
- HamishCirrocumulusA chain certificate (Or chain list) is only alink between the site certificate being presented, and a trusted certificate in your browser... Presenting the same cert as site and chain simply means nothing more than just presenting the cert itself. You still don't have a chain of trust to follow.
- natheCirrocumulusHamish
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects