Intermediate and certificate checks in BIG-IP LTM

Hi,

In fact now when you built your Client SSL Profile, F5 check that certificate and key matching. And it warn you with this following message:

01070317:3: profile /Common/test's key and certificate do not match.

but unfortunately F5 does not allow for the moment to control that the chain is valid. so if you put an invalid Chain, F5 does not indicate any error. You have to check it manuallay (SSLlabs, openssl or check in GUI).

K20381201: Verifying a new CA signed SSL certificate

Check using openssl or your browser

Check Online using a site web

You can also verify your configuration using GUI. Check that how issued your certificate then validate that the chain contained issuer...

let me know if you need more details.

regards

Can you please elaborate? Are you talking about validating a CA chain against an end-entity cert?

Hi, thanks Kevin, yes, I am speaking of validating the CA chain to the end certificate. For example, I apply a profile and the certificate and key match but the chain is wrong. i.e, Symantec_class_3_ev_ssl_g3 is placed but should be a _g4 CA. I know that I can check the chain via cli but I was looking for a quicker check. I have worked with Citrix Netscaler Loadbalancers previously and they will not allow you to place the incorrect chain with a cert. It will give you an error to say that the hash does not match. I am using a very old code 10.x and I would like to know if the newer codes perform such checks.

Ah, gotcha. That makes sense. But no, newer versions do not perform a check on the CA chain in the SSL profile.

But, as of 13.0 there's a new feature called "CA Bundle Manager" that will auto-build and maintain CA bundles, which in your case could update the bundle automatically to include the g4 CA cert.

Ref: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-13-1-0/3.html

This is very helpful! Thank you!