Forum Discussion

Niklas_Ahl_6703's avatar
Icon for Nimbostratus rankNimbostratus
Dec 27, 2010

Device certificate from intermediate CA




I would like to add a trusted device certificate to our LTM and use it for the management interface.


We have our own CA that we issue certificates from, which is an intermediate CA, signed by our root CA.


The cert chain is: Root CA -> Intermediate signing CA -> Certificate



I've issued new certificate from our intermediate CA (with a new private key) and uploaded that under System/Device certificates.


However, I can't find how to attach the trusted certificate chain to the certificate in the GUI.



When working with ssl certificates through client ssl profiles, I can associate a CA chain to a profile.


Is there a similiar functionality for device certificates?



If there's no such thing in the GUI, is it possible to configure this with a commandline script?





7 Replies

  • Can you combine the certs in one file and specify that in the GUI for the device cert?



    cat cert1.crt cert2.crt cert3.crt > device.crt



  • That GUI image looks right. Can you restart httpd (bigstart restart httpd) and retest?



  • httpd restarted.



    Still only the device cert in the handshake though.




  • Yes, when working with bigpipe you change the "running" configuration but not the "startup config. So you'll want to do a bigpipe save (or maybe bigpipe config save?) after verifying your changes.
  • Hi Niklas,



    Did that work, by the way? I hadn't seen the option before.



  • Tried it on our passive node and it worked!



    Just have to run the comman on the active node.



    Is the httpd service only for the management interface? or can the loadbalanced traffic be affected somehow by reconfiguring using bigpipe httpd?



  • Hi,

    here is a way to get it done in TMOS v11+.

    Copy the chain file (single intermediate CA file or bundle in PEM format) as
    to the
    directory and set permissions, i.e.:
    chmod 0644 /config/httpd/conf/ssl.crt/intermediate_ca.crt

    Now declare it to be used as chain file to be delivered along with the device certificate during the initial handshake and restart the WebUI:

    tmsh modify / sys httpd ssl-certchainfile /etc/httpd/conf/ssl.crt/intermediate_ca.crt
    bigstart restart httpd

    Thanks, Stephan