Forum Discussion
How to properly create Intermediate SSL Certificate
Troubleshooting certificate issues is never easy, but the first thing you should probably do is simply verify that you have all of the necessary certificates in the chain. A certificate digitally signs the certificates that it issues, so in a multi-link chain with a root and potentially several subordinate CAs, each certificate in the chain will have a cryptographic relationship with the certificate next to it, either as the signer or signee. The process of verification must then "walk" the chain and verify each signature along the way (against the signer's public key), and the chain must be complete (from end-entity all the way to the explicitly trusted self-signed root).
If you look in the certificates section of the BIG-IP GUI, under System - File Management, you'll see the server certificate and bundle. First look at the server certificate and not the issuer. Now go to the bundle, find that issuer, find its issuer, and walk through the bundle until you get the self-signed root (subject and issuer are the same).
Now, during the SSL handshake the server will send its certificate, and the certificates from the bundle. The bundle should not, however, contain the root CA. Assuming the client already has and explicitly trusts the root CA, the intermediate CAs in the bundle should provide the client with all of the additional links in the chain to build a complete end-to-end chain from the server cert to the root. If you're getting a verification error, it's very likely that you're missing one of these certificates. You may also need to check the client (mobile device) to make sure it has the root. Looking at the subject and issuer in the properties of the certificates is pretty straight forward, and hopefully you'll spot something that way. But it's not a "true" indicator as certificates can sometimes use the same names. The only accurate way to know is to cryptographically verify the chain, which can be done with various tools including OpenSSL. Before we dig into that mess though, makes sure you're not missing anything by name.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com