Using root certs for validation instead of using VIP certs for validation
Article ID: 111981
Updated On:
Products
Issue/Introduction
To verify our backend we are currently uploading the public certificate from F5 VIPs by searching for it in manage certificate. We were recently told that it is a concern and should be using certificate authority (CA) root cert to validate all backend F5 VIPs instead. Can we validate the VIPs only using only the certificate authority (CA) root cert?
Environment
Component: APIESM
Resolution
Additional Information
Verified this with other support engineers also ran the following test
ONLY root CA NewHost7510.ca.com Certificate installed CA Gateway in Trusted Certificates – with Certificate is a Trusted Anchor checked
Created Web Service with
Route via HTTP(s) to https://test.ssosites.com
Accessed SSL and NON SSL through GW – Successful no SSL errors, verified proper key exchanged via packet capture as well
http://MyHost.ssosites.com:8080/test1
https://MyHost.ssosites.com:8443/test1
Managed Certificates: Installed rootCA trusted Anchor
Snippet RootCA to WebServer
commonName=NewHost7510.ca.com--> commonName=test.ssosites.com
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 2995
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 2991
Certificates Length: 2988
Certificates (2988 bytes)
Certificate Length: 1441
Certificate: 3082059d30820385020101300d06092a864886f70d01010b... (pkcs-9-at-emailAddress=MyID,id-at-commonName=test.ssosites.com,id-at-organizationalUnitName=Support,id-at-organizationName=CA,id-at-localityName=Maynard,id-at-stat
Certificate Length: 1541
Certificate: 30820601308203e9a003020102020900d46b66b785a9ca64... (pkcs-9-at-emailAddress=Myid,id-at-commonName=mcqst02d7510.ca.com,id-at-organizationalUnitName=Support,id-at-organizationName=CA,id-at-localityName=Framingham,id-at
Feedback
