F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

The-messenger's avatar
The-messenger
Icon for Cirrostratus rankCirrostratus
Apr 26, 2018

Machine Cerrt auth - new PKI Multi-level CA

I have had machine cert auth working in several APM profiles, now I need to move to a new Certificate Authority. The new CA is a multi-level PKI with root CA (offline) > subordinate CA.

 

I attempted to make the move to the new CA by using the same process I did with the single level CA, export the CA certificate, in this case from the subordinate CA, import to the big-ip and apply to the certificate authority policy. This is failing with "unable to get local issuer certificate"

 

Could this be that I don't have the full chain?

 

Looking at the CA certificates side by side on the big IP I can't see a difference between the cert from the new PKI multi-level and the old single level CA.

 

On the workstation I'm testing with I have removed all machine certs except for the one I'm testing, which is issued by the PKI multi-level CA I'm testing.

 

application delivery
BIG-IP Access Policy Manager (APM)
LTM
security

1 Reply

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Apr 28, 2018

    Could this be that I don't have the full chain?

    yes, client SSL requires full chain, so from first sub CA upto the root CA.