Certificate removed from ca-bundle between 10.2.0 and 10.2.1

Question

This may be the wrong topic group for this one, if so apologies and please advise...&nbsp;
&nbsp;I was recently involved in an upgrade from 10.2.0 to 10.2.1.  After upgrading we had issues with an HTTPS Virtual Server, connections were being reset.  To cut a long story short it was due to the 'VeriSign Class 3 Public Primary Certification Authority - G5' certificate being removed from the ca-bundle in 10.2.1.  &nbsp;
&nbsp;A bit of googling uncovered an f5 Known Issue doc (http://support.f5.com/kb/en-us/solutions/public/12000/700/sol12753.html) which states the cert was removed but there is not really enough detail there for me to really understand why.&nbsp;
&nbsp;My client has purchased a certificate signed by this CA cert, should I or should I not be importing it into the BIG-IP and assigning it to the Virtual Servers Client SSL Profile to get things back up and working?   Has my client purchased the wrong kind of certificate?&nbsp;
&nbsp;Regards,&nbsp;
&nbsp;fergu5&nbsp;

nitass · Answer

what is your verisign certificate product e.g. secure site, secure site pro, etc? 
&nbsp;  
&nbsp; verisign new intermediate certificate should have two certificates; one is secondary and the other one is primary. the secondary is on top of the file. 
&nbsp; https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&amp;actp=CROSSLINK&amp;id=SO14649 
&nbsp;  
&nbsp; also, this is installation checker 
&nbsp; https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&amp;id=AR1130&amp;actp=LIST&amp;viewlocale=en_US

magnum_ip · Answer

Here is the certificate hierarchy...&nbsp;
VeriSign Class 3 Public Primary Certification Authority - G5
&nbsp;     VeriSign Class 3 International Server CA - G3
&nbsp;          mydomain.com&nbsp;&nbsp;
&nbsp;My client had an initial certificate which they renewed, the renewal was signed by with the G3 and G5 certs.&nbsp;
&nbsp;The G5 cert was in the ca-bundle up until we upgraded to 10.2.1 - not sure why f5 have removed it if VeriSign are signing certificates with it.  Any clues?&nbsp;
&nbsp;fergu5&nbsp;

michael_yates · Answer

If you look at the top of the ca-bundle.crt file, they list where they get the updates: 
&nbsp;  
&nbsp;  This is a bundle of X.509 certificates of public Certificate 
&nbsp;  Authorities. It was generated from the Mozilla root CA list. 
&nbsp;  
&nbsp;  Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt 
&nbsp;  
&nbsp;  Generated from certdata.txt RCS revision 1.56 
&nbsp;  
&nbsp;  
&nbsp; You can download updated CA-Bundles here:  http://curl.haxx.se/docs/caextract.html 
&nbsp;  
&nbsp; That might be a good place to start investigating why it was removed, but you can also add it back in if you like.  It is just a collection of the most common root certificates. 
&nbsp;  
&nbsp; Hope this helps.

nitass · Answer

r u using client certificate authentication? &nbsp;
&nbsp;bug id 338848 is about bigip not sending all intermediate certificates to client which leads to certificate warning message on browser. i don't think connection is reseted.

Forum Discussion

Certificate removed from ca-bundle between 10.2.0 and 10.2.1

4 Replies

Recent Discussions

google-visualization-issues

The best load balance method on this scenario?

SMS server with BIGIP

Geo Fence in ASM through irule for URI

Client certificate Authentication - open multiple tabs

Related Content

Creating, Importing and Assigning a CA Certificate Bundle

Re: Management Certificate

Automating ACMEv2 Certificate Management on BIG-IP

Automate Let's Encrypt Certificates on BIG-IP

My Security+ Certification Journey