Forum Discussion

Altostratus

Aug 13, 2013

F5 BIG-IP WebGUI intermediate certificate

I don't see how I can install an intermediate certificate for the F5 BIG IP management WebGUI. The device seems to be using the "Device Certificate" (under System > Device Certificates) for its manag...

BIG-IP Access Policy Manager (APM)

management

security

Kesha_50406

Altostratus

Aug 14, 2013

Yep, uncommenting SSLCertificateChainFile, putting the signing certificate to the location it specifies and then restarting httpd solves the issue. Agreed that this will probablhy not survive an upgrade.

[root@dbnintaccvp06:Active:Standalone] ~  grep SSLCertificateChainFile /etc/httpd/conf.d/ssl.conf
   Point SSLCertificateChainFile at a file containing the
SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt


[root@dbnintaccvp06:Active:Standalone]  openssl x509 \
 -in /etc/pki/tls/certs/server-chain.crt \
 -noout -text | grep 'X509v3 Basic' -A 1
            X509v3 Basic Constraints: critical
                CA:TRUE

Verification now works fine:

$ echo '' | openssl s_client -connect dbnintaccvp06:443 -showcerts -CAfile ./ca-root.pem | egrep '(BEGIN|Verify)'
-----BEGIN CERTIFICATE-----
-----BEGIN CERTIFICATE-----
    Verify return code: 0 (ok)

F5 should really add an option to configure certificate chain for the management WebGUI. I'll try to get a feature request for this.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)