SSL chain not presented by BIGIP

The cert and chain on the server side will create a trust but you would still need to trust either the intermediate or Root CA on the client side too. By adding the chain doesn't necessarily provide trust to the certificate. It really only tells the client which certs to use in the chain to enable trust.

You can use this command on the ltm to check that the cert and chain are working, just in case.

openssl verify -purpose sslserver -CAfile /config/ssl/ssl.crt/test_bundle.crt /config/ssl/ssl.crt test_server.crt

This is how I understand it anyway.

Rgds

N

Thanks Nathan for coming back.

I am totally with you, but I still can't understand why I can't see F5 presenting the chain to me(which is configured with two certs): openssl s_client -connect x.x.x.x:443 -key /config/filestore/files_d/www-qa_d/certificate_key_d/:test.key -cert /config/filestore/files_d/www-qa_d/certificate_d/:test.crt

CONNECTED(00000003) depth=0 /C=US/ST=.....

verify error:num=20:unable to get local issuer certificate

verify return:1 depth=0 /C=US/ST=....

verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=N.... verify error:num=21:unable to verify the first certificate

Certificate chain 0 s:/C=US/ST=....

I can see that when I try it connect from F5 itself to VIP, cert is not trusted anyway.

After running openssl verify command, I'm getting below error:

"error 20 at 0 depth lookup:unable to get local issuer certificate"

Do you recognize this error?

openssl s_client -connect x.x.x.x:443 -key /config/filestore/files_d/www-qa_d/certificate_key_d/:test.key -cert /config/filestore/files_d/www-qa_d/certificate_d/:test.crt

are you doing client certificate authentication? if not, shouldn't it be CAfile option rather than cert and key?

e.g.

 config

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.10:443
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        http { }
        myclientssl {
            context clientside
        }
        tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 65
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile client-ssl myclientssl
ltm profile client-ssl myclientssl {
    app-service none
    cert-key-chain {
        server {
            cert server.crt
            chain chain.crt
            key server.key
        }
    }
    defaults-from clientssl
}

 server certificate

[root@ve11a:Active:In Sync] certificate_d  perl -n0777e 'map { print "---\n"; open(CMD, "| openssl x509 -noout -subject -issuer");
print CMD; close(CMD) } /^-----BEGIN.*?^-----END.*?\n/gsm' \:Common\:server.crt_51362_1
---
subject= /C=US/ST=WA/O=Acme/OU=IT/CN=server.acme.com
issuer= /C=US/ST=WA/O=Acme/OU=Support/CN=ca2013.acme.com

 intermediate certificate

[root@ve11a:Active:In Sync] certificate_d  perl -n0777e 'map { print "---\n"; open(CMD, "| openssl x509 -noout -subject -issuer");
print CMD; close(CMD) } /^-----BEGIN.*?^-----END.*?\n/gsm' \:Common\:chain.crt_33273_1
---
subject= /C=US/ST=WA/O=Acme/OU=Support/CN=ca2013.acme.com
issuer= /C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com
---
subject= /C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com
issuer= /C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com

 test

[root@centos1 ~] perl -n0777e 'map { print "---\n"; open(CMD, "| openssl x509 -noout -subject -issuer");
> print CMD; close(CMD) } /^-----BEGIN.*?^-----END.*?\n/gsm' /root/newca/certs/ca.crt
---
subject= /C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com
issuer= /C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com

[root@centos1 ~] openssl s_client -connect 172.28.24.10:443 -CAfile /root/newca/certs/ca.crt
CONNECTED(00000003)
depth=2 /C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com
verify return:1
depth=1 /C=US/ST=WA/O=Acme/OU=Support/CN=ca2013.acme.com
verify return:1
depth=0 /C=US/ST=WA/O=Acme/OU=IT/CN=server.acme.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=WA/O=Acme/OU=IT/CN=server.acme.com
   i:/C=US/ST=WA/O=Acme/OU=Support/CN=ca2013.acme.com
 1 s:/C=US/ST=WA/O=Acme/OU=Support/CN=ca2013.acme.com
   i:/C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com
 2 s:/C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com
   i:/C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFmzCCA4OgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzEL
MAkGA1UECBMCV0ExDTALBgNVBAoTBEFjbWUxEDAOBgNVBAsTB1N1cHBvcnQxGDAW
BgNVBAMTD2NhMjAxMy5hY21lLmNvbTAeFw0xNDA4MjAxMDIzNTBaFw0xNTA4MjAx
MDIzNTBaMFAxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJXQTENMAsGA1UEChMEQWNt
ZTELMAkGA1UECxMCSVQxGDAWBgNVBAMTD3NlcnZlci5hY21lLmNvbTCCAiIwDQYJ
KoZIhvcNAQEBBQADggIPADCCAgoCggIBAOPRWmOQTeUW1PEpF1kUhaTBx0s6sT61
BYUhvkvWL751iL7ij1Sp8/SwyxeyWnvOMbLX1c7yeoWFZo1xOtuIyzXYBx8COYOq
xt550NspaAQIpdPZbGJFkpq3eK/q9mDdl+H88yI5L9EeCd5EDW+A3uKl+3yW/XXh
K14rKahFNmMwamMRl0m9uWLii/3ivfjnF7bU+u/3vhBt8IOvUDWVGBdUHHKf9KDx
7IVlw4X+Vx/ApeQraEv819TRvBdExepPvb+Nnn2jMqstmv7EA+VX5gll4xmvb8mV
vk5XmQmNFnaFS8BsHkPiXZsb/7V6a+99g5u04gGq/ydAIztpzxwcsezaOABlURqp
3w7dHUHg7tcSXLCSSltwryrYvcm5WguqIy0Mflw4/C8Y6KFYKetHAemoTSowj5wP
QWRRTOzfgfps4jstHZZssNpDvlbdwdxW3dFIBItrmHo70/47bKF1YeY/PFF3p0x+
3MGRJaiUt6iGGTRNlk4cgr/YDmvBJOeXrm8wjR1ASEHvg+0XuG/qbBtZNyDC5oCJ
Rx02qyvBwo55TZc/BEfb1U4rpnZPScwXnuexjN+fj2glxgF9nCMnZ9ZEL/CkECKI
2LNGvOHevT8rgtXTpRM2PSrzp1k0R3UB0eb/Hsw9nSxNjU6dFhoIXJ7oty8Dnjro
bIcA0LoutMCvAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9w
ZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBQ/8YYZxuAXV79i
y7ux9U6F3xWOujAfBgNVHSMEGDAWgBSCOznFhO68X2r1WREpmuBuEabGcTANBgkq
hkiG9w0BAQUFAAOCAgEA4LrE5RlXF6fNQKx4aVI3oioUXbpp/6FpnIBzT9y2r/Ei
m7zOOCysqdIqwEVjwlpd8/kw5/a/ympJ6Wt8A7CT4fTakYAEyEFhys4XjHdW074I
R+PR4wYPnWCs1ylq+vUX04UlIVmecVx5/7gqPCZ4wQyjwnzoHI+I+gbYc2IeWfRU
nfh4DEeD7PBjZb6zUKnT4PfpHhVwyA9LPOVLQqeTlHtBWZmFYGOTnuJ6kBBHOnDG
07qoxonue9oa1EGzBqDqYQx0PNHaQ3HEzj7UD2tdQ/FqVyu1xWxyGqZ0uVZUdIY0
tfvZA+Yv1rpimaRrMZgEkIouGOxdzNhrc5XleLsAPyLkCEez7YP1d2gKTH6Orl/H
+hCoFVGrxjEpaglo36ijvXpqhMxczX28QA8qUQZNgX+CSfCYEgTnNqcAp94m0DgB
JLAuSBUn0CV8af7dEInpcYMN7FaWYOG9WUmuYGmUNffLLhwLYXzcpo0Od/ATdvWZ
ORam3uhU/zNr3MENHNT+1dfLi7BLRQNjzo3HhMmcVCfKW9YBRU88rOXlPBBAc91r
svO7PkHtidRixb0vHJzOLOg4O44F2PPwMwL1eys2gzjKPHLZcPNQkWokE4Ipn6wS
AEzQqZ83uMOh122h2aJcHU7Y/s57gnBQBdy8yEyeoToxfL6sQkuQWmLCje/J+cY=
-----END CERTIFICATE-----
subject=/C=US/ST=WA/O=Acme/OU=IT/CN=server.acme.com
issuer=/C=US/ST=WA/O=Acme/OU=Support/CN=ca2013.acme.com
---
No client certificate CA names sent
---
SSL handshake has read 4703 bytes and written 703 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 457BB7CC171B41B0E605CD1C37DF7B0F4A3530C8F0D9C9B5F190A8740F6865DC
    Session-ID-ctx:
    Master-Key: F15E99AF1F808310F917E9B4A90B46D37EB6D24C6371AD29CB7A3C44684EFFDFE0CC081742E81985F6EE771B18075093
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1408530869
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

openssl s_client -connect x.x.x.x:443 -key /config/filestore/files_d/www-qa_d/certificate_key_d/:test.key -cert /config/filestore/files_d/www-qa_d/certificate_d/:test.crt

are you doing client certificate authentication? if not, shouldn't it be CAfile option rather than cert and key?

e.g.

 config

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.10:443
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        http { }
        myclientssl {
            context clientside
        }
        tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 65
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile client-ssl myclientssl
ltm profile client-ssl myclientssl {
    app-service none
    cert-key-chain {
        server {
            cert server.crt
            chain chain.crt
            key server.key
        }
    }
    defaults-from clientssl
}

 server certificate

[root@ve11a:Active:In Sync] certificate_d  perl -n0777e 'map { print "---\n"; open(CMD, "| openssl x509 -noout -subject -issuer");
print CMD; close(CMD) } /^-----BEGIN.*?^-----END.*?\n/gsm' \:Common\:server.crt_51362_1
---
subject= /C=US/ST=WA/O=Acme/OU=IT/CN=server.acme.com
issuer= /C=US/ST=WA/O=Acme/OU=Support/CN=ca2013.acme.com

 intermediate certificate

[root@ve11a:Active:In Sync] certificate_d  perl -n0777e 'map { print "---\n"; open(CMD, "| openssl x509 -noout -subject -issuer");
print CMD; close(CMD) } /^-----BEGIN.*?^-----END.*?\n/gsm' \:Common\:chain.crt_33273_1
---
subject= /C=US/ST=WA/O=Acme/OU=Support/CN=ca2013.acme.com
issuer= /C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com
---
subject= /C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com
issuer= /C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com

 test

[root@centos1 ~] perl -n0777e 'map { print "---\n"; open(CMD, "| openssl x509 -noout -subject -issuer");
> print CMD; close(CMD) } /^-----BEGIN.*?^-----END.*?\n/gsm' /root/newca/certs/ca.crt
---
subject= /C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com
issuer= /C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com

[root@centos1 ~] openssl s_client -connect 172.28.24.10:443 -CAfile /root/newca/certs/ca.crt
CONNECTED(00000003)
depth=2 /C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com
verify return:1
depth=1 /C=US/ST=WA/O=Acme/OU=Support/CN=ca2013.acme.com
verify return:1
depth=0 /C=US/ST=WA/O=Acme/OU=IT/CN=server.acme.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=WA/O=Acme/OU=IT/CN=server.acme.com
   i:/C=US/ST=WA/O=Acme/OU=Support/CN=ca2013.acme.com
 1 s:/C=US/ST=WA/O=Acme/OU=Support/CN=ca2013.acme.com
   i:/C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com
 2 s:/C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com
   i:/C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFmzCCA4OgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzEL
MAkGA1UECBMCV0ExDTALBgNVBAoTBEFjbWUxEDAOBgNVBAsTB1N1cHBvcnQxGDAW
BgNVBAMTD2NhMjAxMy5hY21lLmNvbTAeFw0xNDA4MjAxMDIzNTBaFw0xNTA4MjAx
MDIzNTBaMFAxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJXQTENMAsGA1UEChMEQWNt
ZTELMAkGA1UECxMCSVQxGDAWBgNVBAMTD3NlcnZlci5hY21lLmNvbTCCAiIwDQYJ
KoZIhvcNAQEBBQADggIPADCCAgoCggIBAOPRWmOQTeUW1PEpF1kUhaTBx0s6sT61
BYUhvkvWL751iL7ij1Sp8/SwyxeyWnvOMbLX1c7yeoWFZo1xOtuIyzXYBx8COYOq
xt550NspaAQIpdPZbGJFkpq3eK/q9mDdl+H88yI5L9EeCd5EDW+A3uKl+3yW/XXh
K14rKahFNmMwamMRl0m9uWLii/3ivfjnF7bU+u/3vhBt8IOvUDWVGBdUHHKf9KDx
7IVlw4X+Vx/ApeQraEv819TRvBdExepPvb+Nnn2jMqstmv7EA+VX5gll4xmvb8mV
vk5XmQmNFnaFS8BsHkPiXZsb/7V6a+99g5u04gGq/ydAIztpzxwcsezaOABlURqp
3w7dHUHg7tcSXLCSSltwryrYvcm5WguqIy0Mflw4/C8Y6KFYKetHAemoTSowj5wP
QWRRTOzfgfps4jstHZZssNpDvlbdwdxW3dFIBItrmHo70/47bKF1YeY/PFF3p0x+
3MGRJaiUt6iGGTRNlk4cgr/YDmvBJOeXrm8wjR1ASEHvg+0XuG/qbBtZNyDC5oCJ
Rx02qyvBwo55TZc/BEfb1U4rpnZPScwXnuexjN+fj2glxgF9nCMnZ9ZEL/CkECKI
2LNGvOHevT8rgtXTpRM2PSrzp1k0R3UB0eb/Hsw9nSxNjU6dFhoIXJ7oty8Dnjro
bIcA0LoutMCvAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9w
ZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBQ/8YYZxuAXV79i
y7ux9U6F3xWOujAfBgNVHSMEGDAWgBSCOznFhO68X2r1WREpmuBuEabGcTANBgkq
hkiG9w0BAQUFAAOCAgEA4LrE5RlXF6fNQKx4aVI3oioUXbpp/6FpnIBzT9y2r/Ei
m7zOOCysqdIqwEVjwlpd8/kw5/a/ympJ6Wt8A7CT4fTakYAEyEFhys4XjHdW074I
R+PR4wYPnWCs1ylq+vUX04UlIVmecVx5/7gqPCZ4wQyjwnzoHI+I+gbYc2IeWfRU
nfh4DEeD7PBjZb6zUKnT4PfpHhVwyA9LPOVLQqeTlHtBWZmFYGOTnuJ6kBBHOnDG
07qoxonue9oa1EGzBqDqYQx0PNHaQ3HEzj7UD2tdQ/FqVyu1xWxyGqZ0uVZUdIY0
tfvZA+Yv1rpimaRrMZgEkIouGOxdzNhrc5XleLsAPyLkCEez7YP1d2gKTH6Orl/H
+hCoFVGrxjEpaglo36ijvXpqhMxczX28QA8qUQZNgX+CSfCYEgTnNqcAp94m0DgB
JLAuSBUn0CV8af7dEInpcYMN7FaWYOG9WUmuYGmUNffLLhwLYXzcpo0Od/ATdvWZ
ORam3uhU/zNr3MENHNT+1dfLi7BLRQNjzo3HhMmcVCfKW9YBRU88rOXlPBBAc91r
svO7PkHtidRixb0vHJzOLOg4O44F2PPwMwL1eys2gzjKPHLZcPNQkWokE4Ipn6wS
AEzQqZ83uMOh122h2aJcHU7Y/s57gnBQBdy8yEyeoToxfL6sQkuQWmLCje/J+cY=
-----END CERTIFICATE-----
subject=/C=US/ST=WA/O=Acme/OU=IT/CN=server.acme.com
issuer=/C=US/ST=WA/O=Acme/OU=Support/CN=ca2013.acme.com
---
No client certificate CA names sent
---
SSL handshake has read 4703 bytes and written 703 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 457BB7CC171B41B0E605CD1C37DF7B0F4A3530C8F0D9C9B5F190A8740F6865DC
    Session-ID-ctx:
    Master-Key: F15E99AF1F808310F917E9B4A90B46D37EB6D24C6371AD29CB7A3C44684EFFDFE0CC081742E81985F6EE771B18075093
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1408530869
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---