F5 BIG-IP WebGUI intermediate certificate

Please reivew the solution article below...

http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13302.html

Thanks, Seth

It sounds like you will need to set the Chain in the client SSL profile to use the appropriate signing certificate that you added. Verify that the certificate chain is set by using this site http://www.sslshopper.com/ssl-checker.html

Sure, but this works for the SSL connections terminated on the virtual servers, where you have to explicitly attach an SSL profile derived from the clientssl profile. I'm talking about the management WebGUI, the one that you use to log in to the device itself to manage it, the "BIG-IP Configuration Utility". This seems to be using the "Device Certificate"..

It looks like you can import a PKCS 12 file. I have not done this before but in theory you should be create the PKCS12 file with all the certs and import it. You can use openssl to create the PKCS12 file.

I just tried that, unfortunate it still doesn't work. Here's the PKCS12 file containing both certificates:

$ echo ''| openssl pkcs12 -in dbn-vp6.p12 | grep BEGIN
Enter Import Password:
MAC verified OK
-----BEGIN CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Enter PEM pass phrase:

The device accepts the PKCS12 file no problem, the Device Certificate/General Propertis shows two entries now, one for the device certificate, the other one for the signing one. But if I connect to the management interface I still get only the device certificate as part of the TLS handshake:

$ echo '' | openssl s_client -connect dbnintaccvp06:443 -showcerts  | grep BEGIN
-----BEGIN CERTIFICATE-----

For comparison this is what should happen if the correct certificate chain is presented:

$ echo '' | openssl s_client -connect www.google.com:443 -showcerts  | grep BEGIN
-----BEGIN CERTIFICATE-----
-----BEGIN CERTIFICATE-----

isnt the device certificate stored somewhere on the bigip, (here i believe: /config/httpd/conf/ssl.crt/) couldn't you try to add the intermediate there to it? so just open with vi and paste the intermediate in there. might require a httpd restart or even bigstart restart.

[EDIT] hmmm, looked at apache config and apparently you need to modify SSLCertificateChainFile in the apache config. in the bigip this is found under /config/httpd/conf.d/ssl.conf i believe. not sure how supported it is if you are going to play around with that and what the effect is after an upgrade.

I may well be missing something here in the details, but for me to add the intermediate for the admin console was the following (Note: I have the root and intermediate certificates as separate certificates):

Go to System -> Device Certificates -> Trusted Device Certificates Click Import... and import the root certificate After the root is imported In the same area, click Import... again, make sure you select "Append" as the Import Method and paste your PEM for the intermediate and click Import

That should take care of it.

Yep, uncommenting SSLCertificateChainFile, putting the signing certificate to the location it specifies and then restarting httpd solves the issue. Agreed that this will probablhy not survive an upgrade.

[root@dbnintaccvp06:Active:Standalone] ~  grep SSLCertificateChainFile /etc/httpd/conf.d/ssl.conf
   Point SSLCertificateChainFile at a file containing the
SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt


[root@dbnintaccvp06:Active:Standalone]  openssl x509 \
 -in /etc/pki/tls/certs/server-chain.crt \
 -noout -text | grep 'X509v3 Basic' -A 1
            X509v3 Basic Constraints: critical
                CA:TRUE

Verification now works fine:

$ echo '' | openssl s_client -connect dbnintaccvp06:443 -showcerts -CAfile ./ca-root.pem | egrep '(BEGIN|Verify)'
-----BEGIN CERTIFICATE-----
-----BEGIN CERTIFICATE-----
    Verify return code: 0 (ok)

F5 should really add an option to configure certificate chain for the management WebGUI. I'll try to get a feature request for this.

This is an old thread but you can do this via the command line:

tmsh modify sys httpd ssl-certchainfile save sys config partitions all

That should modify it so that the GUI uses a chain and survives an upgrade.

Thank you! This is definitely better than modifying the httpd config files