Imported SSL certificate issue

Question

Hi everyone,&nbsp;
&nbsp;First up, applolgies if this is not the correct forum, I'm not sure which is the most appropiate forum for this posting.&nbsp;
&nbsp;In a nutshell, we have run into a problem with an imported SSL certificate from a linux Apache webserver. We are using the BigIP to replace an Apache webserver in a WebSphere environment. We had a Verisign cert on the Apache server for SSL traffic. Although we were able to import the certificate and keyfiles into the BIGIP and assign them to the virtual server running on the BIGIP, whenever we access the site via SSL we receive the following SSL error from IE6/IE7/FF &nbsp;
&nbsp;This certificate has expired or is not yet valid. Digging a little deeper it (under IE7), looking at the Certification Path I see the following&nbsp;
&nbsp;Versign Class 3 Public Primary CA (OK)
&nbsp;  www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 Versign Big RED X against this)
&nbsp;   (OK)&nbsp;
&nbsp;We have another Verisign SSL cert on a different virtual server and it is fine. The only difference is that the cert that is working originally created on the BigIP whereas the one that is giving us issues was originally created on a RedHat AS 3 server.&nbsp;
&nbsp;So, should I be able to use an imported Verisign cert or will I have to create a new one via the BigIP. The cert in question is due to expire soon anyway, so if anyting this has probably just forced out hand a little sooner. &nbsp;
&nbsp;Any comments/suggestions welcome.&nbsp;
&nbsp;tia&nbsp;
&nbsp;Craig&nbsp;
&nbsp; &nbsp;

craigm_17826 · Answer

Just an update. We think the issue is related to an expired Intermediate CA. Basically one cert is using an expired intermediate CA whilst the other is not. What we are confused about is why two VeriSign certs are using two different intermediate CAs? &nbsp;&nbsp;
&nbsp;I contacted VeriSign support and they more or less think it's an issue with an expired intermediate CA as well, but they were unsure of how to rectify it on the BigIP.I suppose it is out of their realm.&nbsp;
&nbsp;I am loath the manually install the updated intermediate CAs from Verisign given that one of there certs is working as expected and I don't want to risk taking it down.&nbsp;
&nbsp;We have raised this with F5 tech support in Australia, but I would still be interested to hear from anyone in these forums who has encountered this and what the fix was.&nbsp;
&nbsp;Regards&nbsp;
&nbsp;Craig

craigm_17826 · Answer

Problem fixed. &nbsp;
&nbsp;Craig

craigm_17826 · Answer

lol :D

aaron_norman_53 · Answer

What was the fix from Joe?  Can you please post?

manish_cameron_ · Answer

See Here - https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&amp;id=AR229

Forum Discussion

Imported SSL certificate issue

Recent Discussions

Diameter iRules attachment?

Source IP F5 DNS Zone Forwarder

F5 BIG-IP

BIG-IP Oauth Client and AS

How to Renew F5 Device Certificate

Related Content

Import certificate as pfx format

Help F5 Transform the BIG-IP Administrator Certification

Re: Automate import of SSL Certificate, Key & CRL from BIG-IP to BIG-IQ

Re: Management Certificate

import f5!

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS