Forum Discussion
NimbostratusF5 BIG-IP SSLVPN client using machine certs and renewal of the issuing intermediate CA
Hello,
We use the F5 BIG-IP SSLVPN client in combination with machine certificates which are handed out by our internal MS PKI. Our internal PKI consists of a root CA and an intermediate CA, the machine certificates are signed by the intermediate CA. The machine certificates get verified in a "Machine Cert Auth" action/step of the access policy by means of a "CA Profile" which points to a certificate bundle containing our current root CA and intermediate CA certificate.
We would like to issue and start using a new intermediate CA but are unsure if it's possible to just add this new intermediate CA's certificate to the bundle and that way be able to verify machine certs issued by the old and the new intermediate CA at the same time using the same CA profile?
AceDawg1Good morning,
Would you mind posting a snapshot of the APM VPE for your setup?
- bylie
A snapshot of the relevant APM VPE flow and the properties of the Machine Cert Auth check:
The CA profile currently points to a certificate bundle consisting of our root CA and current intermediate CA. As stated in the opening post we would like to know if it's possible to add a new intermediate CA to this bundle to accomplish simultaneous verification of machine certs issued by our current intermediate CA and future machine certs issued by a new intermediate CA?
- AceDawg1
Thanks.
I would modify the CA bundle by adding the entire SSL cert chain (root+intermediate) rather than the lone intermediate cert.
In other words, I would concatenate your CA root and new intermediate cert into one file then add the concatenated file to the existing CA bundle.
Keep in mind that you may have to click [Update] on your client SSL profile even though no changes are being made on that page. I've had issues with SSL forward proxy setups where changes made to a datagroup referenced by the SSL profile weren't being re-read until [update] was executed.
- bylie
Just to make sure I understand this correctly. What we currently have in our CA bundle:
-
root CA
- current intermediate CA
We would like to issue a new intermediate CA which conceptually would look like this:
-
root CA
- current intermediate CA
- new intermediate CA
If I understand correctly what you're suggesting is to have the CA bundle looking like this:
-
root CA
- current intermediate CA
-
root CA
- new intermediate CA
Is this correct?
-
root CA
- AceDawg1
That is correct
- bylie
Would there be a problem if the current and new intermediate CA certificate use the same CN?
- AceDawg1
Admittedly, I haven't tested but you should be okay with CA certs having the same CN. As I understand it, the SSL chaining process uses digital signatures to build trust: https://knowledge.digicert.com/solution/SO16297.html
- bylie
Any reason why the bundle has to have the root CA certificate twice? Can't the chaining also not work if the bundle contains:
-
root CA
- current intermediate CA
- new intermediate CA
-
root CA
- AceDawg1
Yes. Putting both intermediate certs in one file should work.