Difference between Root Cert, Intermediate Cert and SSL Cert

Perhaps wikipedia has a better explanation for the whole thing.

1. a private key is generated on the big-ip and kept in the filestore (will be used later in your clientssl profile as 'key')
2. a certificate signing request will be created for the specific hostname and with some specific attributes
3. you will submit the certificate signing request to a certficate authority (CA)
4. the CA with return a signed certficate. You will import it into the TMOS filestore and use it in your clientssl profile as 'certficate'.
5. the CA will also provide a so called intermediate CA file or chain certificate. It proves, that your choosen CA is trusted by one of the root CAs. You will need the intermedidate CA certificate as 'chain' certificate in your clientssl profile

The root CAs are already trusted CAs in the clients browsers. By presenting an intermediate certificate you prove the full chain of trust between the signed certficate, the signing CA and one of the root CAs.

Makes sense?

If I may expand, PKI or "Public Key Infrastructure" is a multi-layered system that uses cryptography to establish relationships between entities, and it depends on an understanding of the term "trust". A "root" authority is a certificate issuer that parties choose to trust (explicitly). It is usually self-signed (self-issued) and very highly protected. An intermediate authority is a certificate issuer that has itself been issued by a root or another higher level intermediate authority. There are a few reasons why an intermediate authority might exist:

1. Because the root authority's security is so important, its exposure is limited. It's turned on just long enough to issue intermediate authority certificates, and then turned off and put in a vault.

2. A certificate authority's job is essentially to issue certificates - both client certificates and server certificates, and because an authority may be in business to issue lots of certificates, putting that kind of load on a single authority is unwise. A root authority can issue several intermediate certificates, and those authorities can then issue client and server certificates.

An SSL cert, in the context of PKI, is just a certificate issued by some authority that is used in SSL communications.

Again, the relationship between these entities is based on cryptography, specifically digital signatures. PKI is also a "two-key" system where an entity will possess a "public" certificate that it can share with the world, and a "private" key that it must keep safe and hidden. The public certificate and private key are cryptographically paired such that one can only decrypt a message encrypted by the other. (Message) encryption therefore is the process of encrypting something with a recipients public certificate so that only the recipient (the holder of the private key) can decrypt it. Digital signature is the reverse of that - encrypting something (usually a hash of some data) with a private key so that a remote party can 1) decrypt it with the sender's public certificate, and 2) know that the sent message is verifiably from the sender (because no one else would have the sender's private key). A certificate authority issues a certificate and digitally signs that certificate so that anyone validating that certificate will know that it was issued by that authority (a process called "non-repudiation").

In any case, when a root authority creates an intermediate authority (and that intermediate authority optionally creates another intermediate authority), which then creates a user or server certificate, a "chain" has been built. Example:

root CA -> intermediate CA -> server certificate  

When a client and server communicate via SSL, the server will initially send its certificate to the client. The client then must be able to build a chain of trust from that certificate to an explicitly trusted root authority (by virtue of its presence in a local "trust store"). Consequently, when the client sends its certificate to the server (if client certificate authentication is enabled), the server must be able to build a chain of trust between the client's certificate to an explicitly trusted root authority (by virtue of its presence in a local "trust store"). In the case of BIG-IP as the server, the authority certificates must be in a "bundle" file and applied to the "Trusted Certificate Authorities" option in the client SSL profile. This is simply a text file that contains the PEM-encoded version of ALL of the authority (public) certificates needed to build a complete chain of trust between the client's certificate and the self-signed root.

1.If the server sends only its own certificate and the intermediate one then there’s no need to send the root CA certificate, as the client should already have this – otherwise the whole point of the PKI is defeated. why should we include root CA in the chain?

You're absolutely correct that the server should (normally) send all certs in the chain up to but not including the root CA. To your question, the chain or trusted certificate authorities options are for validating the client certificate and have nothing to do with the server certificate.

2.As it is mentioned each certificate is trusted by the parent one i.e server is trusted by intermediate CA and intermediate by root and finally root is trusted(cryptographically),then why can't we send root alone?

Because PKI is based on a "CHAIN OF TRUST". To your first point, the root CA cert is never sent because it requires an explicit trust mechanism - you have to manually assign trust.

I would be willing to bet that you don't have to send the root CA for this to actually work. It doesn't make sense and, as you pointed out earlier, would completely invalidate the intent of PKI.

There are certainly exceptions to this rule based on the types of clients and/or services involved in evaluating these certificates, but a core function of The PKI trust establishment process is validating the chain of certificates up to a self-signed "anchor" - a root certificate that has been explicitly trusted by the client and/or server.

Please help me out all of you experts. I have configured client side SSL profile and uploaded certificate, also put CA bundle of all certificates uptill root in Trusted certificate authorities. The problem i am having is that still the SSL secure handshake is failed. And Open SSl shows that there is a self signed certificate in the chain which is root certificate. How to tell F5 that root certificate will always be self signed and ignore it. I did all the need full in browser. Please help