F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

BB16's avatar
BB16
Icon for Nimbostratus rankNimbostratus
Aug 18, 2017

How any Browser know about certificate

How the certificate is imported in browser while accessing any URL with Client SSL profile? In other way how browser get to know about certificate & its valid info. Are certificates stores in any fol...
BIG-IP
devops
LTM
Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
Aug 18, 2017

Hi,

browser stores a list of trusted certificate authority, installed with the browser or using OS trusted CA list.

Here's how the TLS handshake works (source https://idea.popcount.org/2012-06-16-dissecting-ssl-handshake/😞

  Client                                 Server
    |                                      |
    |  ----------- ClientHello --------->  |
    |                                      |
    |  <---------- ServerHello ----------  |
    |  <---------- Certificate ----------  |
    |                 ...                  |
    |  <-------- ServerHelloDone --------  |
    |                 ...                  |

when server send certificate, it must include all certificates between server certificate and root CA (stored in the browser) but not the root CA.

if one intermediate certificate is missing in the chain, the certificate will not be validated.

When Client receive the certificate, it will check against OCSP or CRL services if the certificate is not revoked. (the server can have included the OCSP result with the certificate, this function is called OCSP stapling)

After that, the browser will keep in memory the certificate used for the connection.