Difference between Root Cert, Intermediate Cert and SSL Cert

Hi Muhammad, it will be necessary to add the intermediate CA / intermediate CA chain to the client-ssl profile. During the handshake the the client will now receive the server certificate and all certificates in the single cert or bundle chain as specified above. This way the client can verify the chain of trust from the server certificate up to a root CA he trusts. If you request / require a client certificate it will be necessary to validate the chain of trust up to the root CA which validates the client certificate. As there may also be intermediate CAs involved it will be necessary to verify the full chain as well. But for this part the virtual server has to trust a root CA and needs to know, which intermediate CAs are involved. This is a bundle you want to configure in the context of "client authentication" of your client-ssl profile. A nice tool to monitor the certificate exchange is ssldump as provided on the BIG-IP: ssldump -AdenN -i any host (your_client_ip) Using the command above may help you to troubleshoot the issue. Thanks, Stephan

We have an weird situation. While set upping a connection our application perform a bunch of security checks. One of these is to check if the chain length is correct. We know that it should be 3: Root, intermediate and server.

 

When we are connecting to a server using Android application we get as a response only two certificates intermediate and server - no root(anchor). But when we perform checking thought web browser we see 3 and on Android see two of them. Connection form iOS results in 3 certificates.

 

Is it a server or Android? What we can do to get also root certificate? Presently pinning in Intermediate only, will it be fine ??