Forum Discussion

david_baumgart_'s avatar
david_baumgart_
Icon for Cirrus rankCirrus
Jul 29, 2016

How to properly create Intermediate SSL Certificate

Hello all. I believe this should be an easy question but i need some guidance. I am publishing Skype for Business reverse proxy services with a Big IP and I am using the iApp to do so. I can get my m...
application delivery
BIG-IP
iApps
skype for business
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Jul 29, 2016

Troubleshooting certificate issues is never easy, but the first thing you should probably do is simply verify that you have all of the necessary certificates in the chain. A certificate digitally signs the certificates that it issues, so in a multi-link chain with a root and potentially several subordinate CAs, each certificate in the chain will have a cryptographic relationship with the certificate next to it, either as the signer or signee. The process of verification must then "walk" the chain and verify each signature along the way (against the signer's public key), and the chain must be complete (from end-entity all the way to the explicitly trusted self-signed root).

 

If you look in the certificates section of the BIG-IP GUI, under System - File Management, you'll see the server certificate and bundle. First look at the server certificate and not the issuer. Now go to the bundle, find that issuer, find its issuer, and walk through the bundle until you get the self-signed root (subject and issuer are the same).

 

Now, during the SSL handshake the server will send its certificate, and the certificates from the bundle. The bundle should not, however, contain the root CA. Assuming the client already has and explicitly trusts the root CA, the intermediate CAs in the bundle should provide the client with all of the additional links in the chain to build a complete end-to-end chain from the server cert to the root. If you're getting a verification error, it's very likely that you're missing one of these certificates. You may also need to check the client (mobile device) to make sure it has the root. Looking at the subject and issuer in the properties of the certificates is pretty straight forward, and hopefully you'll spot something that way. But it's not a "true" indicator as certificates can sometimes use the same names. The only accurate way to know is to cryptographically verify the chain, which can be done with various tools including OpenSSL. Before we dig into that mess though, makes sure you're not missing anything by name.