Solved

What is relation among ssl, certificate, ca and intermediate certificate

Posted on 2016-09-15
22
68 Views
Last Modified: 2016-10-13
Hi Expert,
I am installing certificate for F5. Can you use an example to explain the relation among ssl, certificate, ca and intermediate certificate, public key and private key, user and provider? Thank you
0
Comment
Question by:eemoon
  • 9
  • 6
  • 5
  • +1
22 Comments
 
LVL 16

Assisted Solution

by:Learnctx
Learnctx earned 125 total points
ID: 41800901
A certificate authority infrastructure will usually have a hierarchy of CA's. Take EE for example. It is a 2-tier CA heirarchy.

COMODO ECC Certification Authority (root CA)
|__ COMODO ECC Domain Validation Secure Server CA 2 (subordinate issuing CA)
      |__ ssl310949.cloudflaressl.com (This is the server certificate with SAN's for experts-exchange.com, *.experts-exchange.com)

Open in new window


Other configurations might be a 3-tier hierarchy where the trust chain would be: Root CA -> Intermediate/Policy CA -> Issuing/leaf CA -> Site certificate.

SSL is a crypto protocol that defines secure communication using certificates.

Private key/public key are to do with encrypting and decrypting data for secure exchange, the heart of PKI (public key infrastructure). There is a good video which I like to give people that F5 did on TLS/SSL connection. It explains the concept of PKI, public keys and private keys with a bit of a demo. Watch it here: https://www.youtube.com/watch?v=n_d1rCXNrx0.
0
 

Author Comment

by:eemoon
ID: 41800928
Thank you so much for your fast reply. I am updating cert for F5. but someone says that we need to update intermediate certificate too. why is that?
0
 
LVL 16

Assisted Solution

by:Learnctx
Learnctx earned 125 total points
ID: 41800931
You have to trust the whole chain and include the whole chain. Some clients will retrieve a certificate chain, others will expect the whole chain to be presented. On the F5 if the intermediate certificate has changed then you have a new certificate chain. So you need to update it by inserting the new intermediate or the trust is broken.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 125 total points
ID: 41800985
Root CA Cert > Intermediate CA Cert (bundle of Sub CA) > Server SSL cert.

For a trust sign with no warning from the browser, the cert chain of trust need to be established. F5 has Client SSL and Server SSL.

For Client SSL, (client<> F5) to avoid prompt, user browser will be presented a "Server" SSL cert from F5 appliance the browser will check for the chain of trust.

For Server SSL, (f5 <> Server) to avoid not trusting the channel, F5 need to have the Root, intermediate cert bundle (if applicable) reference in your server SSL cert presented to it when F5 try to access or forward traffic to your server.

They have article for the SSL profiles which hopefully you can find it useful
- https://devcentral.f5.com/articles/ssl-profiles-part-3-certificate-chain-implementation
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 250 total points
ID: 41801035
Adding to the prior comments.
Root CA certificate has an expiration date. (Often these can be 5, 10, 20 year terms) you can usually have only one.
The intermediate/issuing CA certificate has an expiration date as well that is different  (these usually have half the term of the root CA) depending on the size of the enterprise you can have several intermediate/issuing CAs.
certificate issued to users, and servers, etc. expiration usually 1,2,3 year from issuance not to exceed the expiration date of the intermediate ca.

The holder of. Certificate also has a private key which is used by the holder to decrypt the data. the certificate includes the public key which I presented/exchanged between the two sides during the negotiation of the connection.
Once a side has the certificate/public key, it uses the public key to encrypt the data it sends to the other end. The recipient uses their private key to decrypt the data. Using the public key obtained during the exchange, the response is encrypted and sent....

When renewing certificates one often has an option to use n existing private key to renew a certificate, or they can use. New key.
Root ca renewals and intermediate Ca certificate renewals often it is best to use a new key. Because of this  these root/intermediate CAs have to be included when a new cert issued by them is loaded in a server or as in your case on a device/load balancer.
0
 

Author Comment

by:eemoon
ID: 41802501
Thank you all so much for your explanation! Based on the above, i realize all "Root CA Cert > Intermediate CA Cert (bundle of Sub CA) > Server SSL cert." exist in F5. My question is what is function of "Root CA Cert > Intermediate CA Cert (bundle of Sub CA) " for the whole chain? Can we directly use Server SSL ?

If I am a client, and I want to install SSL for my F5, what do I need to buy? buy certificate or key?
0
 
LVL 61

Assisted Solution

by:btan
btan earned 125 total points
ID: 41802522
It is to build chain of trust where the check on the chain will be done to ascertain if we can trust the SSL server cert issue by the SubCA and the latter's CA (or root CA).

Either do a self sign cert which you generate in F5 box, not recommended though. Instead, buy SSL cert which will come with the keys. The root CA and SubCA cert is free for download. The issuer which you buy from will direct you with steps to download.

Thereafter the file you gotten from the 3rd party issuer will probably be a PEM file and yiu can import to your SSL profile. The step shared in the link in past post will guide.

Client SSL - see the key (required), certificate (refer to cert bundle amd root CA) and chain explanation. F5 box is serving the client browser as a server hence it requires the key and certificate.

https://support.f5.com/kb/en-us/solutions/public/14000/700/sol14783.html

Server SSL - certificate and key are optional unless you are doing two way ssl in which F5 is a client to the server it is connecting to.

https://support.f5.com/kb/en-us/solutions/public/14000/800/sol14806.html
0
 
LVL 76

Accepted Solution

by:
arnold earned 250 total points
ID: 41802586
Yes, you can use just the cert ssl, the reason to include the chain root ca, and intermediate deals with assisting connecting clients see the certificate as valid in the event the remote client does not have either root ca or intermediate ca in their system referenced or included as trusted.

Think of it this way, the server certificate identifies the server, let's say similar to a driver license.
Unless you trust the validity/issuer of the displayed driver license, you need further proof that the driver license us authentic and not forged/fake. The root ca/intermediate Ca certs acts as confirming/authenticating the authenticity/validity of the server cert.

With that said, a client connects to the server and during the connection neotiation, the server presents its certificate, the client if it has either/both server cert issuing CAs (root ca or intermediate ca as trusted) the action will proceed.... Without further delay, if the client does not, the certificate chain the certificate from the server included, would help the client authenticate/validate that the server cert is valid and ....

Merely including your certificate's root ca, intermediate issuing ca is not the final word.
I.e. If you setup your own CAs, as suggested, unless tge fluent accepts and sets your root ca, intermediate Ca certs as trusted, connections to the server will always prompt the user with a warning message that the authententicity of the certificate can not be validated allowing the client to accept the validity once, or by trusting the chain of certs, permanently (until the expiration of the root ca(
0
 
LVL 61

Assisted Solution

by:btan
btan earned 125 total points
ID: 41802608
If using 3rd party CA, you can check out one example GoDaddy steps for F5 LTM.

https://sg.godaddy.com/help/installing-an-ssl-certificate-in-f5-big-ip-loadbalancer-5511

Actually there is also public key pinning to give that extra assurance on top of rhe trust check discussed.
When Do You Pin?
You should pin anytime you want to be relatively certain of the remote host's identity or when operating in a hostile environment. Since one or both are almost always true, you should probably pin all the time.
 https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning#What_Is_Pinning.3F

F5 irule can add HTTP header for thia

https://devcentral.f5.com/questions/configure-certificates-pinning-via-ltm-policies-v-1153

For info
A website operator can choose to either pin the root certificate public key of a particular root certificate authority, allowing only that certificate authority (and all intermediate authorities signed by its key) to issue valid certificates for the website's domain, and/or to pin the key(s) of one or more intermediate issuing certificates, or to pin the end-entity public key.
0
 

Author Comment

by:eemoon
ID: 41803038
Thank you so much for your explanation, especially the good example that you gave(driver license) to understand it. Here is thing that I am not sure:

There are several sites in which F5 are located for the same website (maybe there there several servers behind them in different locations). do we need several certificates or just one? and its key? Do the client(user PC) need the same certificate and key? and the servers also need the certificate and key?
0
 
LVL 61

Assisted Solution

by:btan
btan earned 125 total points
ID: 41803079
Either you consider buying a UCC cert with multiple site inside the single cert SAN, otherwise wildcard cert that covers all subdomain. So still one ssl cert for multiple website in ine F5 box or those boxes fronting these websites.

The client machine just need the root and intermediate CA bundle. The server ssl and key are in the F5  box. Client browser will prompt warning if those root cert and sub CA cert is not in the machine store but the user can just click trust and move forward thereafter.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 76

Assisted Solution

by:arnold
arnold earned 250 total points
ID: 41803176
To answer the question, more information is needed.
There might be more sites behind the F5 that are accessed in an unencrypted, the certificate is only used for secure access (encrypted) to a site represented.

The certificate on the F5 terminates (SSL connection from client to f5) the f5 the load balances the traffic between/among the servers that serve up the site/s.
0
 

Assisted Solution

by:eemoon
eemoon earned 0 total points
ID: 41803247
server ----- F5 ----- client

server ----- client

the above are two topology
 
F5 box is serving the client browser as a server hence it requires the key and certificate.

Can I say the F5 represents the server to contact the client through ssl certificate and key(first topology)? Without the F5(second topology), the certificate and key would need to move to the server, right?
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 250 total points
ID: 41803291
Usually, the glow is in bound, so you have F5 as an application accelerator where files/data that changes are retrieved from the server, while static data, images, template settings, etc. are residing on the cache (F5) storage....
This maximizes responsiveness/pergormance while minimizing the resource hits on the server.

Yes, if F5 is not in the mix, the certificate/private key would need to be installed on the server and the server web binding will need to be updated to listen on port 443 as well as security settings to make sure either the entire site is accessed via a secure connection or a specific directory can only be accessed via a secure connection, I.e. The "store" where cc or other data where sensitive data is exchanged.
0
 

Author Comment

by:eemoon
ID: 41803336
Thank you so much.
It looks like that certificate/key is per website behavioral, for example, if the F5/server hold 10 websites, the F5/server need 10 certificate/key, right? but in users' side, their PC just just need to install the same "root CA and SubCA cert", can i say like that?
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 250 total points
ID: 41803360
Yes, that is correct for sites requiring secure communication.
Btan, provided an alternative that you can have/get a single certificate that includes multiple name
Subject Name Alternative deals with the certificate being valid for
Www.maindomain.com
SAN
www.anotherdomain.com
Www.yetanotherdomain.com
Ww.onemoredomain.com

Though usually, the domains/hostnames are related
Www.mydonain.com
Store.mydomain.com
Blog.mydomain.com
Webmail.mydomain.com, etc.
0
 

Author Comment

by:eemoon
ID: 41803381
Thank you all. I already have these basic concept. The post is very long and already answered many questions. I should stop here and i am going to start another new post for my next question. Thank you again!
0
 

Author Comment

by:eemoon
ID: 41840221
Can I say,  if we want " CA root cert ----- intermediate cert ----- client cert" to work, the chain should exist in both server and client PC?
0
 
LVL 61

Expert Comment

by:btan
ID: 41840498
yes - for both CA root cert ----- intermediate cert in server (must) and client (warning if missing but can still proceed to access). The client cert is for client machine and not server. The latter just check if the client cert's CA and int.cert is in its store
0
 

Author Comment

by:eemoon
ID: 41842024
Very good. Do you think if client PC have two ways to get certificate? One is that client himself install it in the PC.
Second is that administer install it on F5. when the client access the F5/server, it can automatically install it to the client PC
0
 
LVL 61

Expert Comment

by:btan
ID: 41842199
export & import into client or self install upon prompt
0
 

Author Comment

by:eemoon
ID: 41842288
Thank you btan
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
EXCHANGE 22 62
Office 365 SSL Issues 5 51
Is banking over coffee-shop wifi SAFE? 16 113
Windows 7 lost password...(reset vs change) 5 35
By default, Carbonite Server Backup manages your encryption key for you using Advanced Encryption Standard (AES) 128-bit encryption. If you choose to manage your private encryption key, your backups will be encrypted using AES 256-bit encryption.
As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now