Forum Discussion
hooleylist
Apr 21, 2008Cirrostratus
That's odd. I tested by importing a cert and intermediate bundle. The GUI shows the certs, but when connecting with openssl s_client, I only see the primary cert.
I guess could manually edit the ssl.conf (/config/httpd/conf.d/ssl.conf) and specify the chain in:
Server Certificate Chain:
Point SSLCertificateChainFile at a file containing the
concatenation of PEM encoded CA certificates which form the
certificate chain for the server certificate. Alternatively
the referenced file can be the same as SSLCertificateFile
when the CA certificates are directly appended to the server
certificate for convinience.
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/ca.crt
You'd need to copy the intermediate cert to the directory and then restart httpd again.
It might also be good to include the modified ssl.conf in the files saved in a UCS.
SOL4422: Viewing and modifying the files that are configured for inclusion in a UCS archive
https://support.f5.com/kb/en-us/solutions/public/4000/400/sol4422.html?sr=451055
Locate this line:
save.2221.ignore = /config/httpd/conf.d/ssl.conf
And replace ignore with file:
save.2221.file = /config/httpd/conf.d/ssl.conf
During an upgrade, you’ll need to do a manual diff of the new ssl.conf and the saved copy to make sure the ssl.conf file hasn’t changed. If it has changed, you should modify the updated ssl.conf to add the chain file.
It might be good to run this by F5 Support though to see whether there is/should be an option for specifying a chain cert for the management GUI, and the above steps are a valid workaround.
Aaron