For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

3 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Aug 12, 2015

    Mike, not necessarily. The client (browser) needs to establish a chain of trust. By having the chain in the SSL profile you're telling the client who has signed the cert and who's signed the signing cert, etc., up to a root ca, perhaps.

     

    The browser will need to trust one of these elements in the chain. It could just be the root ca.

     

    Hope this helps, I'm not a PKI expert by any stretch :-)

     

    N

     

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Aug 12, 2015

    The client needs to have (And trust) a certificate in the path... For example the client needs (At minimum) the root cert installed and trusted to sign certs. The server then needs present ALL the certs in the chain between what the client trusts and the end-cert that authenticates the site.

     

    e.g. If you have root->chain1->chain2->site (4 certs) and the client trusts root (only) then the SSL profile needs to precent chain1, chain2 and the site cert.

     

    if the client has root, chain1, chain2 then the SSL profile needs to present only the site cert.

     

    The client MUST have AT LEAST one of the certs in the chain (root -> site) installed and trusted.

     

    H