SSL Warning Message

Question

i have trusted certificate sothat when users access they don't see warning message .
some mobile users get warning message , i was told that intermediate certificate can help at that , i found below F5 supporting intermediate certificates , but i cann't understand why i need to do that if i already have trusted certificate :
http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13302.html&nbsp;

nitass · Answer

but i cann't understand why i need to do that if i already have trusted certificate&nbsp;

your trusted certificate may not be signed by root CA certificate which is in browser. chain/intermediate certificate is used to create chain of trust from your trusted certificate to the root CA certificate.&nbsp;

kevin_stewart · Answer

If you're getting client side errors, it's very likely that the client doesn't have all of the required certificates to build the trust chain. If, for example, you have a three-level certificate architecture &nbsp;
(CA -&gt; subCA -&gt; issued server certificates) &nbsp;
and the client only has the root CA certificate, when the server presents its certificate to the client, the client will not be able to build a path from that cert to its explicitly trusted CA root. You mobile clients, I'm guessing, do not have the intermediate certificate(s) installed.&nbsp;

sshssh_97332 · Answer

Thanks , and from where to get the intermediate certificate , is it for free or to be purchased ? &nbsp;

kevin_stewart · Answer

The only thing you'd ever need to purchase would be "issued" certificates: client and/or server certificates. The certificate authority (CA) that issued that certificate will always provide its public cert for free, as this is needed to validate the trust one entity has of another entity - by virtue of explicit trust of the issuer.&nbsp;
As you're probably aware, an "intermediate" certificate is a CA cert that is itself issued by another, higher level, CA. So you can several levels of issuing CAs from the "root" CA all the way down to the issued server or client cert. Example:&nbsp;
root CA -&gt; intermediate CA -&gt; intermediate CA -&gt; client cert&nbsp;
In order to validate a trust of a presented client cert, a server must be able to 1) build the above chain from the cert's issuer, to that cert's issuer, to the root CA, and 2) have some level of pre-established explicit trust with all or some of these CAs. In the BIG-IP's case, you must explicitly build that complete chain, so you need all of the CA certs in the path. Your best bet for retrieving those certs is first to determine what they are by observing the issuer field of the client or server cert, then going to that vendor for the CA's public certificate, and then repeat that process until you get to the self-signed root.&nbsp;

Forum Discussion

SSL Warning Message

4 Replies

Bram - January 2026 Featured Member

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Single LTM with multiple GTM domains

Question about adding VEs to existing physical appliance device group without ASM licenses

2026 301a exam

How can I measure Advanced WAF (ASM) throughput on a running BIG-IP VE (per VIP / per policy)?

What is the best practice for migrating from iseries to rseries?

Related Content

Expired ssl warning

Load Balancing TCP TLS Encrypted Syslog Messages

SSL Ciphers (SSLLabs) Warning

WARNING: Security Device Enclosed

Massive DDoS, DanaBot Dismantled, Scraped Discord Messages and Signal Blocks Windows Recall

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS