cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

SSL Warning Message

SSHSSH_97332
Nimbostratus
Nimbostratus

i have trusted certificate sothat when users access they don't see warning message . some mobile users get warning message , i was told that intermediate certificate can help at that , i found below F5 supporting intermediate certificates , but i cann't understand why i need to do that if i already have trusted certificate : http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13302.html

 

4 REPLIES 4

nitass
F5 Employee
F5 Employee

but i cann't understand why i need to do that if i already have trusted certificate

 

your trusted certificate may not be signed by root CA certificate which is in browser. chain/intermediate certificate is used to create chain of trust from your trusted certificate to the root CA certificate.

 

Kevin_Stewart
F5 Employee
F5 Employee

If you're getting client side errors, it's very likely that the client doesn't have all of the required certificates to build the trust chain. If, for example, you have a three-level certificate architecture

 

(CA -> subCA -> issued server certificates)

 

and the client only has the root CA certificate, when the server presents its certificate to the client, the client will not be able to build a path from that cert to its explicitly trusted CA root. You mobile clients, I'm guessing, do not have the intermediate certificate(s) installed.

 

SSHSSH_97332
Nimbostratus
Nimbostratus

Thanks , and from where to get the intermediate certificate , is it for free or to be purchased ?

 

Kevin_Stewart
F5 Employee
F5 Employee

The only thing you'd ever need to purchase would be "issued" certificates: client and/or server certificates. The certificate authority (CA) that issued that certificate will always provide its public cert for free, as this is needed to validate the trust one entity has of another entity - by virtue of explicit trust of the issuer.

 

As you're probably aware, an "intermediate" certificate is a CA cert that is itself issued by another, higher level, CA. So you can several levels of issuing CAs from the "root" CA all the way down to the issued server or client cert. Example:

 

root CA -> intermediate CA -> intermediate CA -> client cert

 

In order to validate a trust of a presented client cert, a server must be able to 1) build the above chain from the cert's issuer, to that cert's issuer, to the root CA, and 2) have some level of pre-established explicit trust with all or some of these CAs. In the BIG-IP's case, you must explicitly build that complete chain, so you need all of the CA certs in the path. Your best bet for retrieving those certs is first to determine what they are by observing the issuer field of the client or server cert, then going to that vendor for the CA's public certificate, and then repeat that process until you get to the self-signed root.