Forum Discussion
AltocumulusIntermediate chain or Ca bundle in client and server ssl
Hello friends,
I am trying to understand the purpose or usage of chain certificate or ca bundle in client and server ssl profiles
Does the chain is required for all well known ca's Like venafi, go daddy, and entrust ? Or is required for unknown CA only ?
How does it helps adding the chain in bigip profiles?
Please help me to undetstand.
Thanks in Adadvance.
Sam
3 Replies
Sam,
The purpose of the chain certificate or ca bundle is so that path validation (or certificate chaining) can be done on the certificate during the certificate validation process. It can also be used, in the client ssl profile, to advertise so that the client has a better idea of which certificates might be accepted.
--Joe
Max_Q_factorCirrocumulus
I think you were asking 2 questions here:
1) On the Client SSL side if you are trying to put a server SSL certificate on the F5 you should include the Intermediate certificates so that the browser can trace the validity back to the browser's CA bundle which is a list of certificate authorities.
2) For the server SSL profile (if the profile is configured to enforce certificates) the CA bundle is used as a list of certificates authorities that the F5 trusts to generate certificates
- Max_Q_factor
The CA bundle should not be required for server SSL certificates in a Client SSL profile. The browser should already have a CA bundle of trusted CA sources.
