We are about changing SSL vendors, and it appears their root is already in the build-in "ca-bundle". However, their intermediates are not. I wanted to get some feedback on the right way to manage these certs from the admin GUI, as the dialog box labels and help are not very clear. What I was thinking is that I would add the intermediate certificates to a new bundle that I create. Then in the New Client SSL Profile dialog box, I would leave the "Trusted Certificate Authorities" value at it's default ca-bundle, but change the "Chain" value to the new bundle I created containing the custom intermediates. Is that how this is supposed to be managed? Should I be concerned about ca-bundle or my custom intermediate bundle being overwritten during an upgrade?

That's exactly how I doit. Leave the CA bundle as it is, and add the intermediates in the chain. To make a chain 'bundle' just cat all the intermediates into a single file and import. (Some of the intermediates have a chain of their own). H

Oh... I haven't had any of my bundles over-written. Just make sure their name isn't the same as one of the bundles that's included and you'll be fine. H

Thanks Hamish. We got a certificate from our new vendor. Then I created a new client SSL profile with the cert/key, but left the Chain and Trusted Certificate Authorities values set at None. Finally I applied to a VIP. But when I hit the VIP, the cert validates just fine. How can that be? I though the LTM presented the certificates in the Chain bundle during the key exchange? Seems like the client doesn't care what the Chain or Trusted Certificate Authorities value is set to in the Client SSL Profile?

That just means the client you used already has the intmediate certs. Not all client ca databases are the same. So some will havethe intremediates and some wont. You just dont really know who until someone complains. H

yes, it is exactly what Hamish said. to verify, i remove intermediate certificate in client or use openssl command or use installation checker (if had). e.g. VeriSign SSL Certificate Installation Checker https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR1130

Managing SSL Certificate Bundles

14 Replies

Hamish
Cirrocumulus
Dec 19, 2011
Oh... On an earlier question. You never include the root cert. it just wouldnt add any information.

Because the trust of a site cert is a chain, the chain needs to lead to a cert somewherevthat the browser does trust. Including the root in the chain presented by the server is redundent. Because if the client doesnt have it already, it wont trust the chain anyway. And if it does have the root, you dont need to include it...

H
nitass
Employee
Dec 20, 2011
just for information.

Important: Putting the root CA certificate in the certificate bundle is optional, and will never cause the client to trust the root CA. This would defeat the purpose of third party validation, since trusted CAs should be predetermined and their certificates intentionally installed on the client. Presenting the root CA in the chain is simply a courtesy on the SSL server's part, potentially providing the client the option to manually accept and install any of the required certificates in their Trusted Certificate store. For example, in popular client browsers, the user may see a pop-up asking Would you like to install this certificate? If using a private PKI, this may be an acceptable way of distributing the required CA certificates. However, if using well known public PKIs, manually accepting and installing a CA certificate should never be required to verify the authenticity of a server certificate.

sol10167: Overview of the Client SSL profile

http://support.f5.com/kb/en-us/solutions/public/10000/100/sol10167.html

for automatically adding root certificate, not sure if this relates.

Automatic CA root certificate updates on Windows

http://netsekure.org/2011/04/automatic-ca-root-certificate-updates-on-windows/
nitass
Employee
Dec 20, 2011
sorry it is duplicated.

ps. Internet must have something wrong today. it is always duplicated when posting. :-(
Kevin_Davies_40
Nacreous
Oct 25, 2016
Just in case someone looks up this post again. You never add the root CA certs. The whole point is the client already has root certificates that it trusts. You job is to create a chain of trust between the root CA and your SSL certificate. So you need to include any intermediate certificates that achieve this.

Root CA (client must have this already) +---> Intermediate CA (you need to supply this) +--- Your SSL Certificate (your SSL certificate)

So your certificate is signed by the Intermediate CA, make sure you have the right one as their can be many, and the Intermediate CA is signed by the Root CA the client already trusts. This is how we create the chain of trust for SSL.