Forum Discussion

Brian_Kenworthy's avatar
Brian_Kenworthy
Icon for Nimbostratus rankNimbostratus
Jul 22, 2009

Add root CA to ca-bundle?

Hi all,

 

 

VeriSign has started signing certificates with a new intermediate root CA for their PKI customers - VeriSign Class 3 Secure Server CA - G2. I do not see this certificate in the ca-bundle.crt file.

 

 

I am running LTM 9.4.7 and I was wondering if it is possible to add this root CA to the ca-bundle? I used to be able to update java's cacerts trust store with the keytool program, so maybe we can do something similar with openssl? Or should I just create a new chain altogether?

 

 

Thanks in advance for the help!!

10 Replies

  • Yes, you can append certs to the CA bundle, by editing it with a text editor like vi or pico. Or if you already have the new cert on the filesystem, you can use:

     

     

    cat newcert.crt >> /config/ssl/ssl.crt/ca-bundle.crt

     

     

    However, there does seem to be a Class 3 G2 cert already in the bundle on 9.4.7:

     

     

     

    Certificate:

     

    Data:

     

    Version: 1 (0x0)

     

    Serial Number:

     

    7d:d9:fe:07:cf:a8:1e:b7:10:79:67:fb:a7:89:34:c6

     

    Signature Algorithm: sha1WithRSAEncryption

     

    Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized

     

    use only, OU=VeriSign Trust Network

     

    Validity

     

    Not Before: May 18 00:00:00 1998 GMT

     

    Not After : Aug 1 23:59:59 2028 GMT

     

    Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network

     

    Subject Public Key Info:

     

    Public Key Algorithm: rsaEncryption

     

    RSA Public Key: (1024 bit)

     

    Modulus (1024 bit):

     

    00:cc:5e:d1:11:5d:5c:69:d0:ab:d3:b9:6a:4c:99:

     

    1f:59:98:30:8e:16:85:20:46:6d:47:3f:d4:85:20:

     

    84:e1:6d:b3:f8:a4:ed:0c:f1:17:0f:3b:f9:a7:f9:

     

    25:d7:c1:cf:84:63:f2:7c:63:cf:a2:47:f2:c6:5b:

     

    33:8e:64:40:04:68:c1:80:b9:64:1c:45:77:c7:d8:

     

    6e:f5:95:29:3c:50:e8:34:d7:78:1f:a8:ba:6d:43:

     

    91:95:8f:45:57:5e:7e:c5:fb:ca:a4:04:eb:ea:97:

     

    37:54:30:6f:bb:01:47:32:33:cd:dc:57:9b:64:69:

     

    61:f8:9b:1d:1c:89:4f:5c:67

     

    Exponent: 65537 (0x10001)

     

    Signature Algorithm: sha1WithRSAEncryption

     

    51:4d:cd:be:5c:cb:98:19:9c:15:b2:01:39:78:2e:4d:0f:67:

     

    70:70:99:c6:10:5a:94:a4:53:4d:54:6d:2b:af:0d:5d:40:8b:

     

    64:d3:d7:ee:de:56:61:92:5f:a6:c4:1d:10:61:36:d3:2c:27:

     

    3c:e8:29:09:b9:11:64:74:cc:b5:73:9f:1c:48:a9:bc:61:01:

     

    ee:e2:17:a6:0c:e3:40:08:3b:0e:e7:eb:44:73:2a:9a:f1:69:

     

    92:ef:71:14:c3:39:ac:71:a7:91:09:6f:e4:71:06:b3:ba:59:

     

    57:26:79:00:f6:f8:0d:a2:33:30:28:d4:aa:58:a0:9d:9d:69:

     

    91:fd

     

    MD5 Fingerprint=A2:33:9B:4C:74:78:73:D4:6C:E7:C1:F3:8D:CB:5C:E9

     

     

     

     

    Aaron
  • Thanks Aaron!! I was using a single > instead of double >> and it basically overwrote all of the exisiting certificates, doh!

     

     

    I did see that G2 cert in there already, but it has a different serial number then the one specified by VeriSign:

     

    http://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html

     

     

    In any case, I appended the root CA to the ca-bundle and it's working like a charm.

     

     

    Thanks again,

     

    Brian
  • Aaron,

     

    I've followed the above instructions and I'm having an issue. I copied the base64 text to a .crt file from the verisign site for an Intermediate CA :

     

    Issued to: VeriSign Class 3 International Server CA - G3

     

    Issued by: VeriSign Class 3 Public Primary Certification Authority - G5

     

    Valid from: 2/7/2010 to 2/7/2020

     

    Serial Number: 64 1b e8 20 ce 02 08 13 f3 2d 4d 2d 95 d6 7e 67

     

    Ran the cat newIntermediate.crt >> ca-bundle.crt. I went to an SSL Client profile that uses that bundle and hit the Update button. The base64 encoded text is placed at the bottom of the file but there's no descriptive text above the entry. When i use the GUI i don't see the cert listed and it's made no difference to my certificate chain verification testing from Verisign. I figure I'm missing a step in getting the text in to the ca-bundle but i've not found a solution yet.

     

    Please let me know if I'm missing something.

     

    Thanks

     

    Richard
  • Answering my own question; F5 says the ca-bundle file is only for root CAs not intermediate CAs.

     

    To add an intermediate CA cert bundle use this solution:

     

    http://support.f5.com/kb/en-us/solutions/public/6000/400/sol6401.html

     

     

    Richard
  • Hi All,

     

     

    Two quick questions in relation to adding the intermediate CA bundle to the F5?

     

     

    I've followed the instructions for sol6401 but am a bit lost at the part where they go:

     

     

    cat intermediateCA_1.crt intermediateCA_2.crt rootCA.crt > chain.crt

     

     

    1/ What do I use for the rootCA.crt? I don't see this file in /config/ssl/ssl.crt ??

     

     

    2/ The rootCA is suppose to be optional, so I've tried it without using the rootCA but when I run that against the site's crt, I get this error:

     

     

    [root] ssl.crt openssl verify -purpose sslserver -CAfile chain.crt mysite.crt

     

    mysite.crt: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5

     

    error 2 at 2 depth lookup:unable to get issuer certificate

     

     

    Does that error message mean anything? I found some other forums where some users just ignored this error and their site still functioned ok.

     

     

    Help please...

     

     

    Thanks.

     

     

    Andy

     

  • 1/ What do I use for the rootCA.crt? I don't see this file in /config/ssl/ssl.crt ??

     

    rootCA.crt is root certificate from your CA. you should be able to get it from the CA website.

     

     

    2/ The rootCA is suppose to be optional, so I've tried it without the rootCA but when I run that against the site's crt, I get this error:

     

    i believe u have to put root certificate in the chain.crt to make openssl verify return OK. anyway, root certificate is not required in chain file (since it must be installed in browser).
    • Nath's avatar
      Nath
      Icon for Cirrostratus rankCirrostratus
      Hi Nitass, I am a little bit confused on I put my SSL cert and rootCA and create a bundle then use this bundle to Trusted Certificate Authorities but still no luck. Do you have any suggestions Sir?
  • 1/ What do I use for the rootCA.crt? I don't see this file in /config/ssl/ssl.crt ??

     

    rootCA.crt is root certificate from your CA. you should be able to get it from the CA website.

     

     

    2/ The rootCA is suppose to be optional, so I've tried it without the rootCA but when I run that against the site's crt, I get this error:

     

    i believe u have to put root certificate in the chain.crt to make openssl verify return OK. anyway, root certificate is not required in chain file (since it must be installed in browser).
    • Nath's avatar
      Nath
      Icon for Cirrostratus rankCirrostratus
      Hi Nitass, I am a little bit confused on I put my SSL cert and rootCA and create a bundle then use this bundle to Trusted Certificate Authorities but still no luck. Do you have any suggestions Sir?
  • Thanks, ignored the openssl errors and the ssl certificate is now verified on the web site.