i have trusted certificate sothat when users access they don't see warning message . some mobile users get warning message , i was told that intermediate certificate can help at that , i found below F5 supporting intermediate certificates , but i cann't understand why i need to do that if i already have trusted certificate : http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13302.html
but i cann't understand why i need to do that if i already have trusted certificate
your trusted certificate may not be signed by root CA certificate which is in browser. chain/intermediate certificate is used to create chain of trust from your trusted certificate to the root CA certificate.
If you're getting client side errors, it's very likely that the client doesn't have all of the required certificates to build the trust chain. If, for example, you have a three-level certificate architecture
(CA -> subCA -> issued server certificates)
and the client only has the root CA certificate, when the server presents its certificate to the client, the client will not be able to build a path from that cert to its explicitly trusted CA root. You mobile clients, I'm guessing, do not have the intermediate certificate(s) installed.
The only thing you'd ever need to purchase would be "issued" certificates: client and/or server certificates. The certificate authority (CA) that issued that certificate will always provide its public cert for free, as this is needed to validate the trust one entity has of another entity - by virtue of explicit trust of the issuer.
As you're probably aware, an "intermediate" certificate is a CA cert that is itself issued by another, higher level, CA. So you can several levels of issuing CAs from the "root" CA all the way down to the issued server or client cert. Example:
root CA -> intermediate CA -> intermediate CA -> client cert
In order to validate a trust of a presented client cert, a server must be able to 1) build the above chain from the cert's issuer, to that cert's issuer, to the root CA, and 2) have some level of pre-established explicit trust with all or some of these CAs. In the BIG-IP's case, you must explicitly build that complete chain, so you need all of the CA certs in the path. Your best bet for retrieving those certs is first to determine what they are by observing the issuer field of the client or server cert, then going to that vendor for the CA's public certificate, and then repeat that process until you get to the self-signed root.