Forum Discussion

Nimbostratus

Aug 20, 2013

SSL Warning Message

i have trusted certificate sothat when users access they don't see warning message . some mobile users get warning message , i was told that intermediate certificate can help at that , i found below ...

security

Kevin_Stewart

Employee

Aug 24, 2013

The only thing you'd ever need to purchase would be "issued" certificates: client and/or server certificates. The certificate authority (CA) that issued that certificate will always provide its public cert for free, as this is needed to validate the trust one entity has of another entity - by virtue of explicit trust of the issuer.

As you're probably aware, an "intermediate" certificate is a CA cert that is itself issued by another, higher level, CA. So you can several levels of issuing CAs from the "root" CA all the way down to the issued server or client cert. Example:

root CA -> intermediate CA -> intermediate CA -> client cert

In order to validate a trust of a presented client cert, a server must be able to 1) build the above chain from the cert's issuer, to that cert's issuer, to the root CA, and 2) have some level of pre-established explicit trust with all or some of these CAs. In the BIG-IP's case, you must explicitly build that complete chain, so you need all of the CA certs in the path. Your best bet for retrieving those certs is first to determine what they are by observing the issuer field of the client or server cert, then going to that vendor for the CA's public certificate, and then repeat that process until you get to the self-signed root.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)