Kevin_48708
Nov 09, 2011Nimbostratus
Can SAN certificates be used for Device certificates?
Hello
I'm attemting to apply 3rd party signed certificates as device certificates on a GTM and LTM deployment.
I have created a trust chain by concatenating the Root and Intermediate CA certificates and then importing this file into both the Trusted Server Certificates and Trusted Device Certificates stores. This appears to have been successful as the two certificates can be viewed in the GUI. I have also set the certificate depth for the gtmd and big3d daemons to 2. I have run bigip_add between the devices I'm attemting to establish communications between.
I then imported a SAN certificate as the Device Certificate.
When running iqdump I get the following output:
[root@xxx:Standby] config iqdump 192.168.13.38
32206:error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate:s3_pkt.c:1054:SSL alert number 43
---
Certificate chain
0 s:
i:/DC=mdc/DC=ppmanagement/CN=ALBxxx
-----BEGIN CERTIFICATE-----
***Deleted***
-----END CERTIFICATE-----
1 s:/DC=mdc/DC=ppmanagement/CN=ALBxxx
i:/CN=PP Root CA
-----BEGIN CERTIFICATE-----
***Deleted***
-----END CERTIFICATE-----
2 s:/CN=PP Root CA
i:/CN=PP Root CA
-----BEGIN CERTIFICATE-----
***Deleted***
-----END CERTIFICATE-----
---
Server certificate
subject=
issuer=/DC=mdc/DC=ppmanagement/CN=ALBxxx
---
Acceptable client certificate CA names
/CN=PP Root CA
/DC=mdc/DC=ppmanagement/CN=ALBxxx
---
SSL handshake has read 4219 bytes and written 4363 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
Session-ID-ctx:
Master-Key: ***Deleted***
Key-Arg : None
Compression: 1 (zlib compression)
Start Time: 1320834615
Timeout : 7200 (sec)
I get the following output when I attempt to verify the Device Certificate using the Trusted Device Certificate:
[root@xxx:Standby] config openssl verify -purpose sslclient -CAfile /config/big3d/client.crt /config/httpd/conf/ssl.crt/server.crt
/config/httpd/conf/ssl.crt/server.crt:
error 26 at 0 depth lookup:unsupported certificate purpose
OK
[root@xxx:Standby] config
The output seems to point to the fact that the Device Certificate is not supported. I just wondered if anyone had come accross this iss and been able to resolve it?
i.e. Has anyone implemented SAN certificates as Device Certificates?
Best Regards
Kevin
I have reviewed the following documents in my attempts to resolve the issue:
http://support.f5.com/kb/en-us/prod...r=17581566
http://support.f5.com/kb/en-us/solu...r=17581554
http://support.f5.com/kb/en-us/solu...l8195.html
http://devcentral.f5.com/Community/...fault.aspx