?
Solved

What is relation among ssl, certificate, ca and intermediate certificate

Posted on 2016-09-15
22
Medium Priority
?
157 Views
Last Modified: 2016-10-13
Hi Expert,
I am installing certificate for F5. Can you use an example to explain the relation among ssl, certificate, ca and intermediate certificate, public key and private key, user and provider? Thank you
0
Comment
Question by:eemoon
  • 9
  • 6
  • 5
  • +1
22 Comments
 
LVL 18

Assisted Solution

by:Learnctx
Learnctx earned 500 total points
ID: 41800901
A certificate authority infrastructure will usually have a hierarchy of CA's. Take EE for example. It is a 2-tier CA heirarchy.

COMODO ECC Certification Authority (root CA)
|__ COMODO ECC Domain Validation Secure Server CA 2 (subordinate issuing CA)
      |__ ssl310949.cloudflaressl.com (This is the server certificate with SAN's for experts-exchange.com, *.experts-exchange.com)

Open in new window


Other configurations might be a 3-tier hierarchy where the trust chain would be: Root CA -> Intermediate/Policy CA -> Issuing/leaf CA -> Site certificate.

SSL is a crypto protocol that defines secure communication using certificates.

Private key/public key are to do with encrypting and decrypting data for secure exchange, the heart of PKI (public key infrastructure). There is a good video which I like to give people that F5 did on TLS/SSL connection. It explains the concept of PKI, public keys and private keys with a bit of a demo. Watch it here: https://www.youtube.com/watch?v=n_d1rCXNrx0.
0
 

Author Comment

by:eemoon
ID: 41800928
Thank you so much for your fast reply. I am updating cert for F5. but someone says that we need to update intermediate certificate too. why is that?
0
 
LVL 18

Assisted Solution

by:Learnctx
Learnctx earned 500 total points
ID: 41800931
You have to trust the whole chain and include the whole chain. Some clients will retrieve a certificate chain, others will expect the whole chain to be presented. On the F5 if the intermediate certificate has changed then you have a new certificate chain. So you need to update it by inserting the new intermediate or the trust is broken.
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 65

Assisted Solution

by:btan
btan earned 500 total points
ID: 41800985
Root CA Cert > Intermediate CA Cert (bundle of Sub CA) > Server SSL cert.

For a trust sign with no warning from the browser, the cert chain of trust need to be established. F5 has Client SSL and Server SSL.

For Client SSL, (client<> F5) to avoid prompt, user browser will be presented a "Server" SSL cert from F5 appliance the browser will check for the chain of trust.

For Server SSL, (f5 <> Server) to avoid not trusting the channel, F5 need to have the Root, intermediate cert bundle (if applicable) reference in your server SSL cert presented to it when F5 try to access or forward traffic to your server.

They have article for the SSL profiles which hopefully you can find it useful
- https://devcentral.f5.com/articles/ssl-profiles-part-3-certificate-chain-implementation
0
 
LVL 81

Assisted Solution

by:arnold
arnold earned 1000 total points
ID: 41801035
Adding to the prior comments.
Root CA certificate has an expiration date. (Often these can be 5, 10, 20 year terms) you can usually have only one.
The intermediate/issuing CA certificate has an expiration date as well that is different  (these usually have half the term of the root CA) depending on the size of the enterprise you can have several intermediate/issuing CAs.
certificate issued to users, and servers, etc. expiration usually 1,2,3 year from issuance not to exceed the expiration date of the intermediate ca.

The holder of. Certificate also has a private key which is used by the holder to decrypt the data. the certificate includes the public key which I presented/exchanged between the two sides during the negotiation of the connection.
Once a side has the certificate/public key, it uses the public key to encrypt the data it sends to the other end. The recipient uses their private key to decrypt the data. Using the public key obtained during the exchange, the response is encrypted and sent....

When renewing certificates one often has an option to use n existing private key to renew a certificate, or they can use. New key.
Root ca renewals and intermediate Ca certificate renewals often it is best to use a new key. Because of this  these root/intermediate CAs have to be included when a new cert issued by them is loaded in a server or as in your case on a device/load balancer.
0
 

Author Comment

by:eemoon
ID: 41802501
Thank you all so much for your explanation! Based on the above, i realize all "Root CA Cert > Intermediate CA Cert (bundle of Sub CA) > Server SSL cert." exist in F5. My question is what is function of "Root CA Cert > Intermediate CA Cert (bundle of Sub CA) " for the whole chain? Can we directly use Server SSL ?

If I am a client, and I want to install SSL for my F5, what do I need to buy? buy certificate or key?
0
 
LVL 65

Assisted Solution

by:btan
btan earned 500 total points
ID: 41802522
It is to build chain of trust where the check on the chain will be done to ascertain if we can trust the SSL server cert issue by the SubCA and the latter's CA (or root CA).

Either do a self sign cert which you generate in F5 box, not recommended though. Instead, buy SSL cert which will come with the keys. The root CA and SubCA cert is free for download. The issuer which you buy from will direct you with steps to download.

Thereafter the file you gotten from the 3rd party issuer will probably be a PEM file and yiu can import to your SSL profile. The step shared in the link in past post will guide.

Client SSL - see the key (required), certificate (refer to cert bundle amd root CA) and chain explanation. F5 box is serving the client browser as a server hence it requires the key and certificate.

https://support.f5.com/kb/en-us/solutions/public/14000/700/sol14783.html

Server SSL - certificate and key are optional unless you are doing two way ssl in which F5 is a client to the server it is connecting to.

https://support.f5.com/kb/en-us/solutions/public/14000/800/sol14806.html
0
 
LVL 81

Accepted Solution

by:
arnold earned 1000 total points
ID: 41802586
Yes, you can use just the cert ssl, the reason to include the chain root ca, and intermediate deals with assisting connecting clients see the certificate as valid in the event the remote client does not have either root ca or intermediate ca in their system referenced or included as trusted.

Think of it this way, the server certificate identifies the server, let's say similar to a driver license.
Unless you trust the validity/issuer of the displayed driver license, you need further proof that the driver license us authentic and not forged/fake. The root ca/intermediate Ca certs acts as confirming/authenticating the authenticity/validity of the server cert.

With that said, a client connects to the server and during the connection neotiation, the server presents its certificate, the client if it has either/both server cert issuing CAs (root ca or intermediate ca as trusted) the action will proceed.... Without further delay, if the client does not, the certificate chain the certificate from the server included, would help the client authenticate/validate that the server cert is valid and ....

Merely including your certificate's root ca, intermediate issuing ca is not the final word.
I.e. If you setup your own CAs, as suggested, unless tge fluent accepts and sets your root ca, intermediate Ca certs as trusted, connections to the server will always prompt the user with a warning message that the authententicity of the certificate can not be validated allowing the client to accept the validity once, or by trusting the chain of certs, permanently (until the expiration of the root ca(
0
 
LVL 65

Assisted Solution

by:btan
btan earned 500 total points
ID: 41802608
If using 3rd party CA, you can check out one example GoDaddy steps for F5 LTM.

https://sg.godaddy.com/help/installing-an-ssl-certificate-in-f5-big-ip-loadbalancer-5511

Actually there is also public key pinning to give that extra assurance on top of rhe trust check discussed.
When Do You Pin?
You should pin anytime you want to be relatively certain of the remote host's identity or when operating in a hostile environment. Since one or both are almost always true, you should probably pin all the time.
 https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning#What_Is_Pinning.3F

F5 irule can add HTTP header for thia

https://devcentral.f5.com/questions/configure-certificates-pinning-via-ltm-policies-v-1153

For info
A website operator can choose to either pin the root certificate public key of a particular root certificate authority, allowing only that certificate authority (and all intermediate authorities signed by its key) to issue valid certificates for the website's domain, and/or to pin the key(s) of one or more intermediate issuing certificates, or to pin the end-entity public key.
0
 

Author Comment

by:eemoon
ID: 41803038
Thank you so much for your explanation, especially the good example that you gave(driver license) to understand it. Here is thing that I am not sure:

There are several sites in which F5 are located for the same website (maybe there there several servers behind them in different locations). do we need several certificates or just one? and its key? Do the client(user PC) need the same certificate and key? and the servers also need the certificate and key?
0
 
LVL 65

Assisted Solution

by:btan
btan earned 500 total points
ID: 41803079
Either you consider buying a UCC cert with multiple site inside the single cert SAN, otherwise wildcard cert that covers all subdomain. So still one ssl cert for multiple website in ine F5 box or those boxes fronting these websites.

The client machine just need the root and intermediate CA bundle. The server ssl and key are in the F5  box. Client browser will prompt warning if those root cert and sub CA cert is not in the machine store but the user can just click trust and move forward thereafter.
0
 
LVL 81

Assisted Solution

by:arnold
arnold earned 1000 total points
ID: 41803176
To answer the question, more information is needed.
There might be more sites behind the F5 that are accessed in an unencrypted, the certificate is only used for secure access (encrypted) to a site represented.

The certificate on the F5 terminates (SSL connection from client to f5) the f5 the load balances the traffic between/among the servers that serve up the site/s.
0
 

Assisted Solution

by:eemoon
eemoon earned 0 total points
ID: 41803247
server ----- F5 ----- client

server ----- client

the above are two topology
 
F5 box is serving the client browser as a server hence it requires the key and certificate.

Can I say the F5 represents the server to contact the client through ssl certificate and key(first topology)? Without the F5(second topology), the certificate and key would need to move to the server, right?
0
 
LVL 81

Assisted Solution

by:arnold
arnold earned 1000 total points
ID: 41803291
Usually, the glow is in bound, so you have F5 as an application accelerator where files/data that changes are retrieved from the server, while static data, images, template settings, etc. are residing on the cache (F5) storage....
This maximizes responsiveness/pergormance while minimizing the resource hits on the server.

Yes, if F5 is not in the mix, the certificate/private key would need to be installed on the server and the server web binding will need to be updated to listen on port 443 as well as security settings to make sure either the entire site is accessed via a secure connection or a specific directory can only be accessed via a secure connection, I.e. The "store" where cc or other data where sensitive data is exchanged.
0
 

Author Comment

by:eemoon
ID: 41803336
Thank you so much.
It looks like that certificate/key is per website behavioral, for example, if the F5/server hold 10 websites, the F5/server need 10 certificate/key, right? but in users' side, their PC just just need to install the same "root CA and SubCA cert", can i say like that?
0
 
LVL 81

Assisted Solution

by:arnold
arnold earned 1000 total points
ID: 41803360
Yes, that is correct for sites requiring secure communication.
Btan, provided an alternative that you can have/get a single certificate that includes multiple name
Subject Name Alternative deals with the certificate being valid for
Www.maindomain.com
SAN
www.anotherdomain.com
Www.yetanotherdomain.com
Ww.onemoredomain.com

Though usually, the domains/hostnames are related
Www.mydonain.com
Store.mydomain.com
Blog.mydomain.com
Webmail.mydomain.com, etc.
0
 

Author Comment

by:eemoon
ID: 41803381
Thank you all. I already have these basic concept. The post is very long and already answered many questions. I should stop here and i am going to start another new post for my next question. Thank you again!
0
 

Author Comment

by:eemoon
ID: 41840221
Can I say,  if we want " CA root cert ----- intermediate cert ----- client cert" to work, the chain should exist in both server and client PC?
0
 
LVL 65

Expert Comment

by:btan
ID: 41840498
yes - for both CA root cert ----- intermediate cert in server (must) and client (warning if missing but can still proceed to access). The client cert is for client machine and not server. The latter just check if the client cert's CA and int.cert is in its store
0
 

Author Comment

by:eemoon
ID: 41842024
Very good. Do you think if client PC have two ways to get certificate? One is that client himself install it in the PC.
Second is that administer install it on F5. when the client access the F5/server, it can automatically install it to the client PC
0
 
LVL 65

Expert Comment

by:btan
ID: 41842199
export & import into client or self install upon prompt
0
 

Author Comment

by:eemoon
ID: 41842288
Thank you btan
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question