Machine Cerrt auth - new PKI Multi-level CA

Question

I have had machine cert auth working in several APM profiles, now I need to move to a new Certificate Authority.  The new CA is a multi-level PKI with root CA (offline) &gt; subordinate CA.  
&nbsp;
I attempted to make the move to the new CA by using the same process I did with the single level CA, export the CA certificate, in this case from the subordinate CA, import to the big-ip and apply to the certificate authority policy.  This is failing with "unable to get local issuer certificate"&nbsp;
Could this be that I don't have the full chain?&nbsp;
Looking at the CA certificates side by side on the big IP I can't see a difference between the cert from the new PKI multi-level and the old single level CA.  
&nbsp;
On the workstation I'm testing with I have removed all machine certs except for the one I'm testing, which is issued by the PKI multi-level CA I'm testing.&nbsp;

boneyard · Answer

Could this be that I don't have the full chain?
yes, client SSL requires full chain, so from first sub CA upto the root CA.

Forum Discussion

Machine Cerrt auth - new PKI Multi-level CA

Recent Discussions

Unable to install firmware OS and drop at 10%

Statistics ›› Analytics : HTTP : Overview

How to Renew F5 Device Certificate

F5 ASM CEF Sending Logs in Specific TimeZone

Inquiry About the "ast-api-discovery" Repository

Related Content

NGINX Virtual Machine Building with cloud-init

F5 BIG-IP Access Policy Manager (APM) Machine Tunnels for Windows

Ubuntu Virtual Machine for NGINX Microservices March 2022 Labs

Zero Trust building blocks - Machine Identity Management (MIM) and Workload Protection

Migration F5-DNS-VM from a Virtual Machine to other Virtual Machine

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS