Managing SSL Certificate Bundles

Thanks for the feedback everyone. I have done some more testing, and I think I have convinced myself of how this works. But I ran into wierd quirks in both IE and FF while trying to understand the SSL interaction between the LTM and the browser. In IE, I removed both the root and intermediate certs from the browser, set the Chain value to None, and I expected IE to display the warning. Instead, I got no warning and both the root and intermediate certificates were added automatically - I didn't have to do anything. I'm inclined to chalk that up to our organization's group policy, though I'm not 100% convinced of that.

 

 

In FF, when I removed both the root and intermediate certs, I didn't get a warning - at first. I had to do this wierd refresh dance. But eventually I was able to reproduce a handshake failure with the Root imported, no intermediate, and the Chain set to None. When I set the Chain to my custom bundle with the intermediate, I was successful.

 

 

So what I concluded by this excercise is that we know a client will most likely only contain the Root. And when the Chain value is set to None in the Client SSL Profile, the LTM simply presents the server certificate which is not signed by the Root (it is signed by the intermediate), so the handshake will fail. However by creating a custom bundle with the CA's intermediate and specifying the custom bundle in the Client SSL Profile Chain, the LTM will also present the CA's Intermediate certificate. And between the client's Root certificate and the LTM's intermediate, it can validate the server certificate.

 

 

Hopefully I've got that simpleton explanation right. I'd appreciate someone leting me know if I'm twisted around.