Creating Chain Certificates

Question

Hello All,&nbsp;
&nbsp;I needed to create a chain ssl certficate from the intermediatory and root certficates as the root CA had changed. I followed the instructions given in the link and created the chain .crt.&nbsp;&nbsp;http://support.f5.com/kb/en-us/solu...tmlcustom&nbsp;&nbsp;
&nbsp;However the website still gives a certficate error after executing the info in the link. 
&nbsp;I also noticed that there is nothing on the key creation in this chain scenario. Do i need to create a new key since ive created a new chain.crt. My key for the certficate bundle says "no key".  I had .p12 files for these devices , so dont have the keys. &nbsp;&nbsp;
&nbsp;Nik&nbsp;&nbsp;&nbsp;

john_matlock_42 · Answer

Hi Nik, 
&nbsp;  
&nbsp; There is no key required for the chain.  To be clear, you have keys imported on the F5 for the certs right?  This is required.  You mentioned creating the chain but didn't mention adding it to the SSL profile.  Make sure that your SSL profile has a certificate, key and chain set. 
&nbsp;  
&nbsp; Let me know if this didn't help.  If it didn't help, what is the certificate error the site is giving? 
&nbsp;  
&nbsp; John

nik_67256 · Answer

Hi John ,  
&nbsp;  
&nbsp;  
&nbsp; 1) There are no keys for the 2 Root and 2 Intermediate security certficates  that i have and they are certificates only. The keys are in the CA, only the CA has the private keys.So not sure which keys is being referred to? 
&nbsp;  
&nbsp;  
&nbsp; 2) Yes , I did add the chain.crt to the chain field in the server profile. Is there anything i  need to do with the client profile ? 
&nbsp;  
&nbsp; 3) Further , do i also need to specify the certificate name as chain.crt in the certficate field in the ssl profile ? Wouldnt this again be chain.crt which ive already specified in the chain field in ssl profile ? 
&nbsp;  
&nbsp; 4) Do i again need to update the passphrase in the SSL profiles 
&nbsp;  
&nbsp;  
&nbsp; Nik

nitass · Answer

2) Yes , I did add the chain.crt to the chain field in the server profile. Is there anything i need to do with the client profile ? normally chain is set in clientssl profile unless you do certificate authentication on server-side (between f5 and server). can you try to update chain in clientssl profile instead of serverssl profile?

nik_67256 · Answer

John, 
&nbsp;  
&nbsp; 2) After updating the client SSL profile , the red address bar certficate error did go away on the login page of the f5 device.So thats good. However once i logged in , there was a certficate error again giving the foll message -  
&nbsp;  
&nbsp; "The security certficate presented by this website has errors. The problem might indicate an attempt to  
&nbsp; fool you or intercept any data you send ot the server. we recommend to close this page" 
&nbsp;  
&nbsp;  
&nbsp; Nik

nitass · Answer

"The security certficate presented by this website has errors. The problem might indicate an attempt to  
&nbsp; fool you or intercept any data you send ot the server. we recommend to close this page" what is fqdn in browser's address bar after logging in? and what is certificate's fqdn (which is shown in browser)? does it match?

Forum Discussion

Creating Chain Certificates

8 Replies

Recent Discussions

F5Access | MacOS Sonoma

AS3 Deployments (shared objects)

Inquiry on F5's Maintenance Mode Feature for Pool Members

Ansible modules for F5OS

VPN fragmented IP packets dropped

Related Content

Building an OpenSSL Certificate Authority - Creating Your Root Certificate

Building an OpenSSL Certificate Authority - Creating Your Intermediary Certificate

Building an OpenSSL Certificate Authority - Creating ECC Certificates

Creating, Importing and Assigning a CA Certificate Bundle

Use F5 Distributed Cloud to service chain WAAP and CDN