Forum Discussion
smp_86112
Cirrostratus
CirrostratusManaging SSL Certificate Bundles
We are about changing SSL vendors, and it appears their root is already in the build-in "ca-bundle". However, their intermediates are not. I wanted to get some feedback on the right way to manage thes...
nitass
Employee
Employeejust for information.
Important: Putting the root CA certificate in the certificate bundle is optional, and will never cause the client to trust the root CA. This would defeat the purpose of third party validation, since trusted CAs should be predetermined and their certificates intentionally installed on the client. Presenting the root CA in the chain is simply a courtesy on the SSL server's part, potentially providing the client the option to manually accept and install any of the required certificates in their Trusted Certificate store. For example, in popular client browsers, the user may see a pop-up asking Would you like to install this certificate? If using a private PKI, this may be an acceptable way of distributing the required CA certificates. However, if using well known public PKIs, manually accepting and installing a CA certificate should never be required to verify the authenticity of a server certificate.
sol10167: Overview of the Client SSL profile
http://support.f5.com/kb/en-us/solutions/public/10000/100/sol10167.html
for automatically adding root certificate, not sure if this relates.
Automatic CA root certificate updates on Windows
http://netsekure.org/2011/04/automatic-ca-root-certificate-updates-on-windows/