CirrusHello,
this is regarding the SSL certificate chain installed in LTM, I have attached root and intermediate certificate with the client ssl profile, Do we need to install the same root and intermediate certificates in client/user trust store?
CirrocumulusMike, not necessarily. The client (browser) needs to establish a chain of trust. By having the chain in the SSL profile you're telling the client who has signed the cert and who's signed the signing cert, etc., up to a root ca, perhaps.
The browser will need to trust one of these elements in the chain. It could just be the root ca.
Hope this helps, I'm not a PKI expert by any stretch :-)
N
CirrocumulusThe client needs to have (And trust) a certificate in the path... For example the client needs (At minimum) the root cert installed and trusted to sign certs. The server then needs present ALL the certs in the chain between what the client trusts and the end-cert that authenticates the site.
e.g. If you have root->chain1->chain2->site (4 certs) and the client trusts root (only) then the SSL profile needs to precent chain1, chain2 and the site cert.
if the client has root, chain1, chain2 then the SSL profile needs to present only the site cert.
The client MUST have AT LEAST one of the certs in the chain (root -> site) installed and trusted.
H
Cirrusnathan/hamish Thanks for the help