Forum Discussion

Approxee's avatar
Approxee
Icon for Nimbostratus rankNimbostratus
Jul 06, 2013

Chain with one intermediate CA - LTM SSL

I would try this but this weekend I am not near a working F5 to try it. I just wanted to ask a question about this paragraph.

 

It is taken from here https://support.f5.com/kb/en-us/sol...r=29125617

 

"If you are using certificates signed by an Intermediate CA, F5 recommends that you create and install a bundle containing the certificates of all the CAs in the chain between the certificate configured in the SSL profile and a root CA whose certificate is trusted by the expected client base. The new certificate bundle may then be selected in the Chain setting drop-down list."

 

 

If I have a only one intermediate CA, then is my chain bundle actually only going to contain one cert, which is the intermediate CA cert.

 

The Root CA will be in my browser, the SSL Profile Cert is in the SSL profile, so the only missing link the middle CA. So really my question is in this case is the bundle specificed in the chain, just really the missing single cert, not a 'bundle' of certs.

 

I hope I am not asking a stupid question :-)

 

Graham Mattingley

 

 

APM
app sec
security

3 Replies

Sort By
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jul 06, 2013
    So really my question is in this case is the bundle specificed in the chain, just really the missing single cert, not a 'bundle' of certs.yes, if it is single-tier chain certificate, you need only one certificate in chain setting.
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 06, 2013
    If I may clarify, the purpose of the chain is to help the client validate the server certificate presented by VIP. It should only ever contain intermediate certificates, as the roots should be purposefully installed on the clients through some other means. When a client receives the server certificate as part of the SSL negotiation, it must validate its trust in that certificate by chaining together all of the CAs in the hierarchy from the signing/issuance CA certificate up to the self-signed root. That is usually accomplished by explicitly storing these CA certificates in the client's root and intermediate authorities trust stores. A chain is only necessary then if you believe the clients will 1) not have a copy of an intermediate certificate, or 2) "if the client trusts the certificate of another CA further up the same hierarchy, the SSL server can present a chain of certificates which establish a chain of trust to a root CA whose certificate is trusted by the SSL client".

     

     

    The bundle need only contain non-root CA certificates that might be missing from client trust stores.