Using root certs for validation instead of using VIP certs for validation
search cancel

Using root certs for validation instead of using VIP certs for validation


Article ID: 111981


Updated On:


STARTER PACK-7 CA Rapid App Security CA API Gateway


To verify our backend we are currently uploading the public certificate from F5 VIPs by searching for it in manage certificate. We were recently told that it is a concern and should be using certificate authority (CA) root cert to validate all backend F5 VIPs instead. Can we validate the VIPs only using only the certificate authority (CA) root cert?


Component: APIESM


APIM is SSL Client you only need root CA and all it’s intermediate CA in the chain

Additional Information

Verified this with other support engineers also ran the following test

ONLY root CA Certificate installed CA Gateway in Trusted Certificates – with Certificate is a Trusted Anchor checked
Created Web Service with
Route via HTTP(s) to
Accessed SSL and NON SSL through GW – Successful no SSL errors, verified proper key exchanged via packet capture as well
Managed Certificates:  Installed rootCA trusted Anchor

Snippet RootCA to WebServer>

Secure Sockets Layer
    TLSv1.2 Record Layer: Handshake Protocol: Certificate
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 2995
        Handshake Protocol: Certificate
            Handshake Type: Certificate (11)
            Length: 2991
            Certificates Length: 2988
            Certificates (2988 bytes)
                Certificate Length: 1441
                Certificate: 3082059d30820385020101300d06092a864886f70d01010b... (pkcs-9-at-emailAddress=MyID,,id-at-organizationalUnitName=Support,id-at-organizationName=CA,id-at-localityName=Maynard,id-at-stat
                Certificate Length: 1541
                Certificate: 30820601308203e9a003020102020900d46b66b785a9ca64... (pkcs-9-at-emailAddress=Myid,,id-at-organizationalUnitName=Support,id-at-organizationName=CA,id-at-localityName=Framingham,id-at