Forum Discussion

smp_86112's avatar
smp_86112
Icon for Cirrostratus rankCirrostratus
Dec 15, 2011

Managing SSL Certificate Bundles

We are about changing SSL vendors, and it appears their root is already in the build-in "ca-bundle". However, their intermediates are not. I wanted to get some feedback on the right way to manage these certs from the admin GUI, as the dialog box labels and help are not very clear.

 

 

What I was thinking is that I would add the intermediate certificates to a new bundle that I create. Then in the New Client SSL Profile dialog box, I would leave the "Trusted Certificate Authorities" value at it's default ca-bundle, but change the "Chain" value to the new bundle I created containing the custom intermediates.

 

 

Is that how this is supposed to be managed? Should I be concerned about ca-bundle or my custom intermediate bundle being overwritten during an upgrade?

14 Replies

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Oh... On an earlier question. You never include the root cert. it just wouldnt add any information.

     

     

    Because the trust of a site cert is a chain, the chain needs to lead to a cert somewherevthat the browser does trust. Including the root in the chain presented by the server is redundent. Because if the client doesnt have it already, it wont trust the chain anyway. And if it does have the root, you dont need to include it...

     

     

    H
  • just for information.

     

     

    Important: Putting the root CA certificate in the certificate bundle is optional, and will never cause the client to trust the root CA. This would defeat the purpose of third party validation, since trusted CAs should be predetermined and their certificates intentionally installed on the client. Presenting the root CA in the chain is simply a courtesy on the SSL server's part, potentially providing the client the option to manually accept and install any of the required certificates in their Trusted Certificate store. For example, in popular client browsers, the user may see a pop-up asking Would you like to install this certificate? If using a private PKI, this may be an acceptable way of distributing the required CA certificates. However, if using well known public PKIs, manually accepting and installing a CA certificate should never be required to verify the authenticity of a server certificate.

     

     

     

    sol10167: Overview of the Client SSL profile

     

    http://support.f5.com/kb/en-us/solutions/public/10000/100/sol10167.html

     

     

    for automatically adding root certificate, not sure if this relates.

     

     

    Automatic CA root certificate updates on Windows

     

    http://netsekure.org/2011/04/automatic-ca-root-certificate-updates-on-windows/
  • sorry it is duplicated.

     

     

    ps. Internet must have something wrong today. it is always duplicated when posting. :-(

     

  • Just in case someone looks up this post again. You never add the root CA certs. The whole point is the client already has root certificates that it trusts. You job is to create a chain of trust between the root CA and your SSL certificate. So you need to include any intermediate certificates that achieve this.

    Root CA (client must have this already)
      +---> Intermediate CA (you need to supply this)
               +--- Your SSL Certificate (your SSL certificate)
    

    So your certificate is signed by the Intermediate CA, make sure you have the right one as their can be many, and the Intermediate CA is signed by the Root CA the client already trusts. This is how we create the chain of trust for SSL.