Network Solutions EV SSL Not Trusted

Question

Hey Guys,
Ok I'm past frustrated with trying to find the correct combo to get a NS EV SSL cert to work correctly on my LTM (10.2.4).  I have one client that uses NS and renewed their NS cert, but this year it's a EV SSL.  The zip file he sent me came with the below files and i have yet to get the combo to work.  I called NS about an intermediate cert and they told me to just append them all into one cert.  They gave me the correct order to do this in and still no luck.  Anybody have an idea what the correct combo is to get these to work on my LTM?&nbsp;
Clientcert.crt
EV_NetwrokSolutionsEVServerCA2.crt
EV_NetworksolutionsCertificateAuthority.crt
AddTrustExternalCARoot.crt&nbsp;
Append Order (T-&gt;B) according to NS.
Client Cert
EV_NetworksolutionsCertificateAuthority.crt
EV_NetwrokSolutionsEVServerCA2.crt
AddTrustExternalCARoot.crt&nbsp;
At first i was trying just the new EV cert/key in the cert/key fields in the LTM, then i tried different combo's for the Chain and Trusted Certificate Authorities fields with the other 3 certs, with none of the combo's working.  I also tried all individual EV certs located on the below URL, which had no affect...same error.  Anybody have any idea's?
http://www.networksolutions.com/support/where-can-i-locate-the-network-solutions-nsprotect-root-and-intermediate-certificate-files/&nbsp;

shaggy · Answer

are you getting an error message on the F5, or is your browser throwing not-trusted errors after you update the certificate?

can you share the issuer of the server certificate you received? run 'openssl x509 -text -noout | grep Issuer' - after running the command, paste your certificate text and hit 'enter' - this should result in a line similar to - 'Issuer: C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority'

as you mentioned, you should be able to use the server-cert+intermediate-certs+root-cert(opt.) as the certificate portion of your SSL certificate in the F5 configuration. alternately, you can simply specify the server-cert in the certificate portion of the SSL certificate file in the F5 configuration, and use the intermediate-certs+root-cert(opt.) as a certificate bundle that is specified as the "chain" in the client-SSL profile.

shifterracer_16 · Answer

No errors installing the certs at all. The problem is when people go to the site they get that pop up stating the cert isn't trusted and they should not proceed. this seems to be only affecting firefox users. Also, when i go to digicert.com/help it's reporting the cert is not trusted because a intermediate cert is missing. I've tried different combo's to try to figure out what would make up the intermediate cert, none of them seem to work when i apply it to the Profile - Chain field.

shifterracer_16 · Answer

Oh the issuer is: Issuer = Network Solutions EV Server CA
sorry about that.&nbsp;

shifterracer_16 · Answer

yeah i tried that combo Shaggy...no luck.&nbsp;
I also tried the NetSolEV-Post.p7b, but i couldn't install it because it's a p7b cert and it needs to be converted.
F5 Import Cert error:&nbsp;
Import Failed: OpenSSL error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag&nbsp;
So to convert it i ran the following command to try to convert it. &nbsp;
openssl pkcs7 -in NetSolEV-Post.p7b -text -out NetSolEVBundle.pem -print_certs&nbsp;&nbsp;
It then kicks back the following error.&nbsp;
unable to load PKCS7 object
22196:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: PKCS7&nbsp;&nbsp;
I could be wrong, but this usually means the header and footer are not correct.  i tried to open it in notepad to fix that, but i get text that's encoded that i'm not able to understand.&nbsp;&nbsp;
So next i just looked at the NetSolEV-Post.p7b cert and i see it's made up of the NetworkSolutions Certificate Authority and Network Solutions EV Server CA cert, which i believe are the ones from the original zip file Network Solutions sent me.  So i combined those and installed them into the F5 without a problem.  I then tried it in the Profile -&gt; Chain as well as in the Trusted Certificate field.  Digicert still returns chain not trusted.&nbsp;

nitass · Answer

So i combined those and installed them into the F5 without a problem. I then tried it in the Profile -&gt; Chain as well as in the Trusted Certificate field. Digicert still returns chain not trusted.

can you post the clientssl profile?
 tmsh list ltm profile client-ssl (profile name)

what certificate are you using as a chain in the clientssl profile now? is it this one? 
-----BEGIN CERTIFICATE-----
MIIE8DCCA9igAwIBAgIQeqyiHVOdFFQRPARe2DX46jANBgkqhkiG9w0BAQUFADBi
MQswCQYDVQQGEwJVUzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMu
MTAwLgYDVQQDEydOZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3Jp
dHkwHhcNMTAxMTI2MDAwMDAwWhcNMjAwNTMwMTA0ODM4WjBZMQswCQYDVQQGEwJV
UzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMuMScwJQYDVQQDEx5O
ZXR3b3JrIFNvbHV0aW9ucyBFViBTZXJ2ZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDQNVzi55UamI/YT9bV3H5cgr+fzEv6PEqBvNrFp+mtmiaP
3BksYxI+Vt915kis40eQf18I8aOA0dDNJc1Z860uw+sGCf45JDmioezExJrXoAhV
/sjFZC785waIlcE+MVpV8B2YBJS0f17ckKmhhceqErmH0aNxEQJsfpvJOevstVgn
i6OYEaCrg/skMACuAlf+gOLKj0hgYznbr5Z0g7s7bO+zM8am3DHp+byqtx7I9H9Y
aXLuWo82Cv4yERw0PXmIadfaMHM2aOH8EChB7mx/iAg+k3djiqrIqHvLNHAEoWw7
bUgn1D0Xugyj4Ypaqx/hcibDjiYyKNlySQ7u5XVDAgMBAAGjggGpMIIBpTAfBgNV
HSMEGDAWgBQhMMn7ANdOmNqHqirQpy6xQDGnTDAdBgNVHQ4EFgQUijXkNTq8EaGe
+/VPNGbVS6xMYmgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAw
ZgYDVR0gBF8wXTBbBgRVHSAAMFMwUQYIKwYBBQUHAgEWRWh0dHA6Ly93d3cubmV0
d29ya3NvbHV0aW9ucy5jb20vbGVnYWwvU1NMLWxlZ2FsLXJlcG9zaXRvcnktZXYt
Y3BzLmpzcDBSBgNVHR8ESzBJMEegRaBDhkFodHRwOi8vY3JsLm5ldHNvbHNzbC5j
b20vTmV0d29ya1NvbHV0aW9uc0NlcnRpZmljYXRlQXV0aG9yaXR5LmNybDCBggYI
KwYBBQUHAQEEdjB0MEsGCCsGAQUFBzAChj9odHRwOi8vY3J0LnVzZXJ0cnVzdC5j
b20vTmV0d29ya1NvbHV0aW9uc0FkZFRydXN0RVZTZXJ2ZXJDQS5jcnQwJQYIKwYB
BQUHMAGGGWh0dHA6Ly9vY3NwLm5ldHNvbHNzbC5jb20wDQYJKoZIhvcNAQEFBQAD
ggEBADtBp7D2JBjlyHcOqAW86EhXzoEj/xeYaAGJxWmewqtFq3NMJclvdwVyEOue
XnIM99N/vGMcsOVMRAGZH+He/HDjd+XY6aktld0Fz27Fx9ncL9FAfo/pR4uH2YEz
pStMuS6k4ajMHGvPBDZaqqSgdDAbUSDHYblQGOS/K8P4pvqMiRYhmadaQ5kDbXTg
i+qweI4gAdIpsozxeyoIsmJqMDZdXKc7Su73BzJHLfaIYgypJOBw36KmQgx7fSgF
1wtt5YT78MmIs6nZAcOcmNzLg0fs+dGeoFxdpzFSuF2wkQNvHmrv4zYC4xpdMUqQ
FhvXMwUw+wCqKOtfDecUViddfLQ=
-----END CERTIFICATE-----

Forum Discussion

Network Solutions EV SSL Not Trusted

9 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

Adaptive Apps: Automating NGINX Solution Deployments and API Publication - Solution Demo

Crafting Secure Paths: The Intricacies of VPN Solutions on BIG-IP APM

Creating device trust / trust-domain through iControl REST Call(s)

Basic OAuth concept and OAuth with F5 solutions

Introducing F5 BIG-IP Next CNF Solutions for Red Hat OpenShift