Forum Discussion
Nik_67256
Nimbostratus
NimbostratusCreating Chain Certificates
Hello All,
I needed to create a chain ssl certficate from the intermediatory and root certficates as the root CA had changed. I followed the instructions given in the link and created the chain .crt.
http://support.f5.com/kb/en-us/solu...tmlcustom
However the website still gives a certficate error after executing the info in the link.
I also noticed that there is nothing on the key creation in this chain scenario. Do i need to create a new key since ive created a new chain.crt. My key for the certficate bundle says "no key". I had .p12 files for these devices , so dont have the keys.
Nik
John_Matlock_42Hi Nik,
There is no key required for the chain. To be clear, you have keys imported on the F5 for the certs right? This is required. You mentioned creating the chain but didn't mention adding it to the SSL profile. Make sure that your SSL profile has a certificate, key and chain set.
Let me know if this didn't help. If it didn't help, what is the certificate error the site is giving?
John
Nik_67256Hi John ,
1) There are no keys for the 2 Root and 2 Intermediate security certficates that i have and they are certificates only. The keys are in the CA, only the CA has the private keys.So not sure which keys is being referred to?
2) Yes , I did add the chain.crt to the chain field in the server profile. Is there anything i need to do with the client profile ?
3) Further , do i also need to specify the certificate name as chain.crt in the certficate field in the ssl profile ? Wouldnt this again be chain.crt which ive already specified in the chain field in ssl profile ?
4) Do i again need to update the passphrase in the SSL profiles
Nik
nitassEmployee
2) Yes , I did add the chain.crt to the chain field in the server profile. Is there anything i need to do with the client profile ? normally chain is set in clientssl profile unless you do certificate authentication on server-side (between f5 and server). can you try to update chain in clientssl profile instead of serverssl profile?- Nik_67256John,
2) After updating the client SSL profile , the red address bar certficate error did go away on the login page of the f5 device.So thats good. However once i logged in , there was a certficate error again giving the foll message -
"The security certficate presented by this website has errors. The problem might indicate an attempt to
fool you or intercept any data you send ot the server. we recommend to close this page"
Nik - nitass"The security certficate presented by this website has errors. The problem might indicate an attempt to
fool you or intercept any data you send ot the server. we recommend to close this page" what is fqdn in browser's address bar after logging in? and what is certificate's fqdn (which is shown in browser)? does it match? - Nik_67256
Well , the fqdn for login page is different from the host name -
fqdn login - https://waf-cdc-hosted1.X.com/tmui/login.jsp
hostname - waf-cdc-hosted1.X.com
But as mentioned, login page does not show certficate error.
Once logged in , the fqdn is (which now displays cert error)-
https://waf-cdc-hosted1.X.com/xui/
Nik - nitassare you looking for setting up chain for config utility (bigip's gui) or https virtual server?
the askf5 solution and all we were talking are for https virtual server.
for config utility, you can review this one.
SSL for management interface
https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/52/aft/23179/showtab/groupforums/Default.aspx - Nik_67256
This was for config utility. In any case it was useful to know the stuff discussed for https Virtual server.
I will review the information in the link first - thanks.
Nik