SSL offloading

Question

Hi All,&nbsp;
Can you please let me know what is ssl intermediate certificate in f5 ? How to identify this in SSL certificates list. 
today  I come across and issue that I have renewed one SSL certificate and it did not worked . due to intermediate certificate  not renewed. &nbsp;
how to know if the certificate that taged under VIP is associated with intermediate certificate ? because last week i renewed another cert for other vip it worked just with out any issue.but today the cert i renewed for the vip gave problem .&nbsp;

michael_jenkins · Answer

Not sure if this is the same issue you're having, but we recently had an issue after renewing certificates where some users were getting invalid certificate messages, and it was because we did not have the bundle associated to the clientssl profile. When creating the profiles, we needed to add the cert, key and bundle because (we were using GoDaddy) they changed their certificate authority chain to include other certs that the users didn't have. So you may need to update the bundle on the f5 as well.&nbsp;
SOL3302 talks about using SSL chains. &nbsp;
Hopefully this at least helps you in your journey to find the answer.&nbsp;

stephanmanthey · Answer

Hi vvskaladhar,&nbsp;
the intermediate CA bundle will be provided by your certificate authority.&nbsp;
In case you are configuring an intermediate CA (has to be imported as certificate (bundle) to TMOS filestore as well) in a client-ssl profile, the intermediate CA certificate will provided along with your server certificate to the client during initial SSL handshake.&nbsp;
Based on the intermediate certificate the client is able to validate the chain of trust to one of the root CAs which are trusted by the browser.&nbsp;
Your server certificate has an information about the issuer (signing CA). This string has to match exactly the common name in the end of chain certificate of your intermediate CA bundle. &nbsp;
If these names do not match, the client can not verify the chain of trust.&nbsp;
With shifting to SHA256 hashed certificates it is very likely your CA has a new signing entity deployed (verify the common names) and this is causing the mismatch.&nbsp;
Thanks, Stephan&nbsp;

Forum Discussion

SSL offloading

2 Replies

Bram - January 2026 Featured Member

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

AWS F5_OWASP Managed Rule Blocking requests

Owa did not show support id asm

Questions on Migrating configs from iSeries to RSeries F5s

Add all rule labels to events in F5 Rules for AWS WAF - Web exploits OWASP Rules

Does XC DNS support health monitoring for CNAME records?

Related Content

SSL Offloading and Backend pool https

SSL Offload with HTTP/2.0

F5 SSL Offload behind Nginx Reverse Proxy

SSL Offloading for specific IPs or range of IPs

F5 Synthesis: Hybrid SSL Offload

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS