Hello, We use the F5 BIG-IP SSLVPN client in combination with machine certificates which are handed out by our internal MS PKI. Our internal PKI consists of a root CA and an intermediate CA, the machine certificates are signed by the intermediate CA. The machine certificates get verified in a "Machine Cert Auth" action/step of the access policy by means of a "CA Profile" which points to a certificate bundle containing our current root CA and intermediate CA certificate. We would like to issue and start using a new intermediate CA but are unsure if it's possible to just add this new intermediate CA's certificate to the bundle and that way be able to verify machine certs issued by the old and the new intermediate CA at the same time using the same CA profile?

Good morning, Would you mind posting a snapshot of the APM VPE for your setup?

A snapshot of the relevant APM VPE flow and the properties of the Machine Cert Auth check: The CA profile currently points to a certificate bundle consisting of our root CA and current intermediate CA. As stated in the opening post we would like to know if it's possible to add a new intermediate CA to this bundle to accomplish simultaneous verification of machine certs issued by our current intermediate CA and future machine certs issued by a new intermediate CA?

Thanks. I would modify the CA bundle by adding the entire SSL cert chain (root+intermediate) rather than the lone intermediate cert. In other words, I would concatenate your CA root and new intermediate cert into one file then add the concatenated file to the existing CA bundle. Keep in mind that you may have to click [Update] on your client SSL profile even though no changes are being made on that page. I've had issues with SSL forward proxy setups where changes made to a datagroup referenced by the SSL profile weren't being re-read until [update] was executed.

Just to make sure I understand this correctly. What we currently have in our CA bundle: root CA current intermediate CA We would like to issue a new intermediate CA which conceptually would look like this: root CA current intermediate CAnew intermediate CA If I understand correctly what you're suggesting is to have the CA bundle looking like this: root CA current intermediate CA root CA new intermediate CA Is this correct?

F5 BIG-IP SSLVPN client using machine certs and renewal of the issuing intermediate CA

9 Replies

AceDawg1
Nimbostratus
Jun 14, 2018
Good morning,

Would you mind posting a snapshot of the APM VPE for your setup?
bylie
Nimbostratus
Jun 14, 2018
A snapshot of the relevant APM VPE flow and the properties of the Machine Cert Auth check:

The CA profile currently points to a certificate bundle consisting of our root CA and current intermediate CA. As stated in the opening post we would like to know if it's possible to add a new intermediate CA to this bundle to accomplish simultaneous verification of machine certs issued by our current intermediate CA and future machine certs issued by a new intermediate CA?
AceDawg1
Nimbostratus
Jun 14, 2018
Thanks.

I would modify the CA bundle by adding the entire SSL cert chain (root+intermediate) rather than the lone intermediate cert.

In other words, I would concatenate your CA root and new intermediate cert into one file then add the concatenated file to the existing CA bundle.

Keep in mind that you may have to click [Update] on your client SSL profile even though no changes are being made on that page. I've had issues with SSL forward proxy setups where changes made to a datagroup referenced by the SSL profile weren't being re-read until [update] was executed.
bylie
Nimbostratus
Jun 15, 2018
Just to make sure I understand this correctly. What we currently have in our CA bundle:

root CA
current intermediate CA

We would like to issue a new intermediate CA which conceptually would look like this:

root CA
current intermediate CA
new intermediate CA

If I understand correctly what you're suggesting is to have the CA bundle looking like this:

root CA
current intermediate CA

root CA
new intermediate CA

Is this correct?
AceDawg1
Nimbostratus
Jun 15, 2018
That is correct
bylie
Nimbostratus
Jun 15, 2018
Would there be a problem if the current and new intermediate CA certificate use the same CN?
AceDawg1
Nimbostratus
Jun 15, 2018
Admittedly, I haven't tested but you should be okay with CA certs having the same CN. As I understand it, the SSL chaining process uses digital signatures to build trust: https://knowledge.digicert.com/solution/SO16297.html
bylie
Nimbostratus
Jun 18, 2018
Any reason why the bundle has to have the root CA certificate twice? Can't the chaining also not work if the bundle contains:

root CA
current intermediate CA
new intermediate CA
AceDawg1
Nimbostratus
Jun 18, 2018
Yes. Putting both intermediate certs in one file should work.

Forum Discussion

F5 BIG-IP SSLVPN client using machine certs and renewal of the issuing intermediate CA

9 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Intermediate iRules: Data-Groups

Intermediate iRules: Handling Strings

F5 BIG-IP Access Policy Manager (APM) Machine Tunnels for Windows

Intermediate iRules: Handling Lists

Intermediate iRules: Iteration