Forum Discussion

Niklas_Ahl_6703's avatar
Niklas_Ahl_6703
Icon for Nimbostratus rankNimbostratus
Dec 27, 2010

Device certificate from intermediate CA

Hi!

 

 

I would like to add a trusted device certificate to our LTM and use it for the management interface.

 

We have our own CA that we issue certificates from, which is an intermediate CA, signed by our root CA.

 

The cert chain is: Root CA -> Intermediate signing CA -> Certificate

 

 

I've issued new certificate from our intermediate CA (with a new private key) and uploaded that under System/Device certificates.

 

However, I can't find how to attach the trusted certificate chain to the certificate in the GUI.

 

 

When working with ssl certificates through client ssl profiles, I can associate a CA chain to a profile.

 

Is there a similiar functionality for device certificates?

 

 

If there's no such thing in the GUI, is it possible to configure this with a commandline script?

 

 

/Niklas

 

config
design
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Dec 27, 2010
    Can you combine the certs in one file and specify that in the GUI for the device cert?

     

     

    cat cert1.crt cert2.crt cert3.crt > device.crt

     

     

    Aaron
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Dec 27, 2010
    That GUI image looks right. Can you restart httpd (bigstart restart httpd) and retest?

     

     

    Aaron
  • Niklas_Ahl_6703's avatar
    Niklas_Ahl_6703
    Icon for Nimbostratus rankNimbostratus
    Dec 27, 2010
    httpd restarted.

     

     

    Still only the device cert in the handshake though.

     

     

     

    /Niklas
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Dec 29, 2010
    Yes, when working with bigpipe you change the "running" configuration but not the "startup config. So you'll want to do a bigpipe save (or maybe bigpipe config save?) after verifying your changes.
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Dec 29, 2010
    Hi Niklas,

     

     

    Did that work, by the way? I hadn't seen the option before.

     

     

    Aaron
  • Niklas_Ahl_6703's avatar
    Niklas_Ahl_6703
    Icon for Nimbostratus rankNimbostratus
    Dec 29, 2010
    Tried it on our passive node and it worked!

     

     

    Just have to run the comman on the active node.

     

     

    Is the httpd service only for the management interface? or can the loadbalanced traffic be affected somehow by reconfiguring using bigpipe httpd?

     

     

    /Niklas
  • StephanManthey's avatar
    StephanManthey
    Icon for MVP rankMVP
    Mar 27, 2017

    Hi,

    here is a way to get it done in TMOS v11+.

    Copy the chain file (single intermediate CA file or bundle in PEM format) as 
    intermediate_ca.crt
    to the 
    /config/httpd/conf/ssl.crt/
    directory and set permissions, i.e.: 
    chmod 0644 /config/httpd/conf/ssl.crt/intermediate_ca.crt

    Now declare it to be used as chain file to be delivered along with the device certificate during the initial handshake and restart the WebUI: 

    tmsh modify / sys httpd ssl-certchainfile /etc/httpd/conf/ssl.crt/intermediate_ca.crt
bigstart restart httpd

    Thanks, Stephan