Forum Discussion
ringoseagull_77
Nimbostratus
NimbostratusSSl chain issue
I recently renewed a certificate on my pair of 1600s, running 9.4.7.
The cert shows up as valid for another year and from most logins all is fine. For external customers however, there is an error and the connection is not trusted.
Verisign's testing tool confirms a problem:
"The Intermediate CA certificate cannot be found for the following certificate chain."
Verisign has two options for download for the SSl for this domain, a certificate, which I currently have installed, and a cert which also contains the intermediate cert.
If I try to import the latter, the F5 throws an error stating that the cert does not match the key. This is odd because both certs are generated by Verisign from the same query.
I then followed SOL6401:
I imported the intermediate, though I had to paste it in because the filename Intermediate.crt was not accepted, then ran:
cat Intermediate.crt portal.city.ac.uk.crt ca-bundle.crt > chain.crt
The verify tool gave a response of:
portal.city.ac.uk.crt: OK
I then went into the portal client SSL profile and selected chain from the chain dropdown. When I hit update I received the error:
"Profile portal's key and certificate do not match".
I've also verified all the certs and key used here using the openssl rsa tool and all are of valid format.
Any ideas?
1 Reply
hoolioCirrostratus
You shouldn't specify a key when importing an intermediate or root cert that you're going to use as a chain cert. You should only specify the key for the cert which you are using in the cert and key fields of the client SSL profile.
I'd start with a new client SSL profile. Specify the portal.city.ac.uk.crt and portal.city.ac.uk.key in the cert and key fields. Then in the Chain field, specify the chain cert that you created using 'cat Intermediate.crt portal.city.ac.uk.crt ca-bundle.crt > chain.crt'.
Aaron
