Managing SSL Certificate Bundles

That's exactly how I doit. Leave the CA bundle as it is, and add the intermediates in the chain.

 

 

To make a chain 'bundle' just cat all the intermediates into a single file and import. (Some of the intermediates have a chain of their own).

 

 

H

Oh... I haven't had any of my bundles over-written. Just make sure their name isn't the same as one of the bundles that's included and you'll be fine.

 

 

H

Thanks Hamish. We got a certificate from our new vendor. Then I created a new client SSL profile with the cert/key, but left the Chain and Trusted Certificate Authorities values set at None. Finally I applied to a VIP. But when I hit the VIP, the cert validates just fine.

 

 

How can that be? I though the LTM presented the certificates in the Chain bundle during the key exchange? Seems like the client doesn't care what the Chain or Trusted Certificate Authorities value is set to in the Client SSL Profile?

 

 

 

 

 

That just means the client you used already has the intmediate certs. Not all client ca databases are the same. So some will havethe intremediates and some wont. You just dont really know who until someone complains.

 

 

H

yes, it is exactly what Hamish said. to verify, i remove intermediate certificate in client or use openssl command or use installation checker (if had).

 

 

e.g.

 

 

VeriSign SSL Certificate Installation Checker

 

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR1130

You were right, both the Root and the Intermediate certificates were in my browser. It is not clear to me whether I should include the Root certificate in the custom bundle, or just the Intermediate. So I tried to break the handshake by removing the root and intermediate from my browser (tried both IE and FF), and setting the Chain value in the Client SSL Profile to None. But when I make a connection, I don't get any error, and both the intermediate and root certificates are added automatically to my browser.

 

 

WTH? How do I break this chain? Both IE and FF want to trust both of the certificates.

Your server cert might already be properly chained with intermediate cert(s) to a root cert in the browser (ie the browser already has the intermediate cert(s) and root cert installed). You can check this by viewing the cert in IE and then clicking on the Certification Path.

 

 

I don't think you need to install the root cert in the chain as the client has to have it in order to avoid the unchained (or untrusted) cert error. It doesn't hurt to include the intermediate cert(s) in the bundle for non-standard clients who might not already have it/them installed.

 

 

Aaron

Thanks for the feedback everyone. I have done some more testing, and I think I have convinced myself of how this works. But I ran into wierd quirks in both IE and FF while trying to understand the SSL interaction between the LTM and the browser. In IE, I removed both the root and intermediate certs from the browser, set the Chain value to None, and I expected IE to display the warning. Instead, I got no warning and both the root and intermediate certificates were added automatically - I didn't have to do anything. I'm inclined to chalk that up to our organization's group policy, though I'm not 100% convinced of that.

 

 

In FF, when I removed both the root and intermediate certs, I didn't get a warning - at first. I had to do this wierd refresh dance. But eventually I was able to reproduce a handshake failure with the Root imported, no intermediate, and the Chain set to None. When I set the Chain to my custom bundle with the intermediate, I was successful.

 

 

So what I concluded by this excercise is that we know a client will most likely only contain the Root. And when the Chain value is set to None in the Client SSL Profile, the LTM simply presents the server certificate which is not signed by the Root (it is signed by the intermediate), so the handshake will fail. However by creating a custom bundle with the CA's intermediate and specifying the custom bundle in the Client SSL Profile Chain, the LTM will also present the CA's Intermediate certificate. And between the client's Root certificate and the LTM's intermediate, it can validate the server certificate.

 

 

Hopefully I've got that simpleton explanation right. I'd appreciate someone leting me know if I'm twisted around.

Hi SMP,

 

 

I think that's about right. One thing to be aware of is that if you've already completed the SSL handshake, the browser and TMM will store the session ID in their cache and reuse it. So it's possible that after you changed your cert settings on the client and/or server, your browser would have resumed an existing session and you wouldn't see the expected failure. To avoid this scenario, you can clear the client SSL cache and/or TMM's cache. It's less impacting to do this on the client than TMM.

 

 

Aaron

That IE feature sounds like a bit of a security hole... Albeit a small one. But could be serious where you really do want to remove a Ca cert.. I cant think any time if like my ca certs automatically updated when id just removed one... Whether the browser was restarted (which should lose the ssl session) or not.

 

 

I normally dont use browsers for testing stuff like SSL. I use openssl to do it from he command line of a linux (Or mac) client somewhere on the network. Far more info and way easier to diagnose where issues lie than the wooliness wrapped around the browser

 

 

H