Machine Cerrt auth - new PKI Multi-level CA

Question

I have had machine cert auth working in several APM profiles, now I need to move to a new Certificate Authority.  The new CA is a multi-level PKI with root CA (offline) &gt; subordinate CA.  
&nbsp;
I attempted to make the move to the new CA by using the same process I did with the single level CA, export the CA certificate, in this case from the subordinate CA, import to the big-ip and apply to the certificate authority policy.  This is failing with "unable to get local issuer certificate"&nbsp;
Could this be that I don't have the full chain?&nbsp;
Looking at the CA certificates side by side on the big IP I can't see a difference between the cert from the new PKI multi-level and the old single level CA.  
&nbsp;
On the workstation I'm testing with I have removed all machine certs except for the one I'm testing, which is issued by the PKI multi-level CA I'm testing.&nbsp;

boneyard · Answer

Could this be that I don't have the full chain?
yes, client SSL requires full chain, so from first sub CA upto the root CA.

Forum Discussion

Machine Cerrt auth - new PKI Multi-level CA

1 Reply

Recent Discussions

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Related Content

F5 BIG-IP Access Policy Manager (APM) Machine Tunnels for Windows

Zero Trust building blocks - Machine Identity Management (MIM) and Workload Protection

Migration F5-DNS-VM from a Virtual Machine to other Virtual Machine

Ubuntu Virtual Machine for NGINX Microservices March 2022 Labs

Session persistence based on http header for machine to machine calls