Forum Discussion
Kevin_Stewart
Jul 06, 2013Employee
If I may clarify, the purpose of the chain is to help the client validate the server certificate presented by VIP. It should only ever contain intermediate certificates, as the roots should be purposefully installed on the clients through some other means. When a client receives the server certificate as part of the SSL negotiation, it must validate its trust in that certificate by chaining together all of the CAs in the hierarchy from the signing/issuance CA certificate up to the self-signed root. That is usually accomplished by explicitly storing these CA certificates in the client's root and intermediate authorities trust stores. A chain is only necessary then if you believe the clients will 1) not have a copy of an intermediate certificate, or 2) "if the client trusts the certificate of another CA further up the same hierarchy, the SSL server can present a chain of certificates which establish a chain of trust to a root CA whose certificate is trusted by the SSL client".
The bundle need only contain non-root CA certificates that might be missing from client trust stores.