SSL / Intermediate Certs in SSL profiles

One thing we ran into was not having the right chain associated with the profile. Our domain cert had a couple intermediate certs on the way up to the root certificate, and one of those in the middle was not available by default on some devices our users were using. Once we added the full chain to the profile, it resolved the issue for those users. So verifying that the cert chain has all the necessary intermediate information in it may be a good place to start.

There's actually a few places in the client SSL profile to inject certificate authorities, but I'm going to assume you mean the chain option at the top of the profile, right under the Certificate and Key selection.

The are two things to understand about this Chain option:

1. It is intended to "help" the client by providing any CA certificates the client may not have in order to build a complete trust chain. During the SSL handshake, and directly after the server's ServerHello message, the server sends a Certificate message that contains its certificate (what you've loaded in to the profile's Certificate selection), and optionally a group of CA certificates (what you've loaded into the Chain selection).

    

2. It should NEVER include the root CA. The client should explicitly trust the root CA, and by default most browser agents will simply ignore a root CA in the server's certificate message. The Chain selection is intended solely for intermediate CA certificates, and can either be a single intermediate CA or a "bundle" of intermediates. A bundle is created by concatenating the PEM-formatted certificates into a single text file and importing that as a single certificate.

    

Hi Kevin, this makes sense, it appears that we have been providing the Thawte Primary Root certificate that was downloaded and added to the F5 within the Chain section.

in reality thawte Primary Root would be in the local trust store on the client machine anyhow.