For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

CraigM_17826's avatar
CraigM_17826
Icon for Altocumulus rankAltocumulus
Aug 27, 2007

Imported SSL certificate issue

Hi everyone,

 

 

First up, applolgies if this is not the correct forum, I'm not sure which is the most appropiate forum for this posting.

 

 

In a nutshell, we have run into a problem with an imported SSL certificate from a linux Apache webserver. We are using the BigIP to replace an Apache webserver in a WebSphere environment. We had a Verisign cert on the Apache server for SSL traffic. Although we were able to import the certificate and keyfiles into the BIGIP and assign them to the virtual server running on the BIGIP, whenever we access the site via SSL we receive the following SSL error from IE6/IE7/FF

 

 

This certificate has expired or is not yet valid. Digging a little deeper it (under IE7), looking at the Certification Path I see the following

 

 

Versign Class 3 Public Primary CA (OK)

 

www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 Versign Big RED X against this)

 

(OK)

 

 

We have another Verisign SSL cert on a different virtual server and it is fine. The only difference is that the cert that is working originally created on the BigIP whereas the one that is giving us issues was originally created on a RedHat AS 3 server.

 

 

So, should I be able to use an imported Verisign cert or will I have to create a new one via the BigIP. The cert in question is due to expire soon anyway, so if anyting this has probably just forced out hand a little sooner.

 

 

Any comments/suggestions welcome.

 

 

tia

 

 

Craig

 

 

 

dev
devops
iControl

6 Replies

  • CraigM_17826's avatar
    CraigM_17826
    Icon for Altocumulus rankAltocumulus
    Aug 27, 2007
    Just an update. We think the issue is related to an expired Intermediate CA. Basically one cert is using an expired intermediate CA whilst the other is not. What we are confused about is why two VeriSign certs are using two different intermediate CAs?

     

     

     

    I contacted VeriSign support and they more or less think it's an issue with an expired intermediate CA as well, but they were unsure of how to rectify it on the BigIP.I suppose it is out of their realm.

     

     

    I am loath the manually install the updated intermediate CAs from Verisign given that one of there certs is working as expected and I don't want to risk taking it down.

     

     

    We have raised this with F5 tech support in Australia, but I would still be interested to hear from anyone in these forums who has encountered this and what the fix was.

     

     

    Regards

     

     

    Craig
  • Manish_Cameron_'s avatar
    Manish_Cameron_
    Icon for Nimbostratus rankNimbostratus
    Jan 24, 2009
    See Here - https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR229