What is relation among ssl, certificate, ca and intermediate certificate

Hi Expert,
I am installing certificate for F5. Can you use an example to explain the relation among ssl, certificate, ca and intermediate certificate, public key and private key, user and provider? Thank you
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

A certificate authority infrastructure will usually have a hierarchy of CA's. Take EE for example. It is a 2-tier CA heirarchy.

COMODO ECC Certification Authority (root CA)
|__ COMODO ECC Domain Validation Secure Server CA 2 (subordinate issuing CA)
      |__ ssl310949.cloudflaressl.com (This is the server certificate with SAN's for experts-exchange.com, *.experts-exchange.com)

Open in new window

Other configurations might be a 3-tier hierarchy where the trust chain would be: Root CA -> Intermediate/Policy CA -> Issuing/leaf CA -> Site certificate.

SSL is a crypto protocol that defines secure communication using certificates.

Private key/public key are to do with encrypting and decrypting data for secure exchange, the heart of PKI (public key infrastructure). There is a good video which I like to give people that F5 did on TLS/SSL connection. It explains the concept of PKI, public keys and private keys with a bit of a demo. Watch it here: https://www.youtube.com/watch?v=n_d1rCXNrx0.
eemoonAuthor Commented:
Thank you so much for your fast reply. I am updating cert for F5. but someone says that we need to update intermediate certificate too. why is that?
You have to trust the whole chain and include the whole chain. Some clients will retrieve a certificate chain, others will expect the whole chain to be presented. On the F5 if the intermediate certificate has changed then you have a new certificate chain. So you need to update it by inserting the new intermediate or the trust is broken.
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

btanExec ConsultantCommented:
Root CA Cert > Intermediate CA Cert (bundle of Sub CA) > Server SSL cert.

For a trust sign with no warning from the browser, the cert chain of trust need to be established. F5 has Client SSL and Server SSL.

For Client SSL, (client<> F5) to avoid prompt, user browser will be presented a "Server" SSL cert from F5 appliance the browser will check for the chain of trust.

For Server SSL, (f5 <> Server) to avoid not trusting the channel, F5 need to have the Root, intermediate cert bundle (if applicable) reference in your server SSL cert presented to it when F5 try to access or forward traffic to your server.

They have article for the SSL profiles which hopefully you can find it useful
- https://devcentral.f5.com/articles/ssl-profiles-part-3-certificate-chain-implementation
Adding to the prior comments.
Root CA certificate has an expiration date. (Often these can be 5, 10, 20 year terms) you can usually have only one.
The intermediate/issuing CA certificate has an expiration date as well that is different  (these usually have half the term of the root CA) depending on the size of the enterprise you can have several intermediate/issuing CAs.
certificate issued to users, and servers, etc. expiration usually 1,2,3 year from issuance not to exceed the expiration date of the intermediate ca.

The holder of. Certificate also has a private key which is used by the holder to decrypt the data. the certificate includes the public key which I presented/exchanged between the two sides during the negotiation of the connection.
Once a side has the certificate/public key, it uses the public key to encrypt the data it sends to the other end. The recipient uses their private key to decrypt the data. Using the public key obtained during the exchange, the response is encrypted and sent....

When renewing certificates one often has an option to use n existing private key to renew a certificate, or they can use. New key.
Root ca renewals and intermediate Ca certificate renewals often it is best to use a new key. Because of this  these root/intermediate CAs have to be included when a new cert issued by them is loaded in a server or as in your case on a device/load balancer.
eemoonAuthor Commented:
Thank you all so much for your explanation! Based on the above, i realize all "Root CA Cert > Intermediate CA Cert (bundle of Sub CA) > Server SSL cert." exist in F5. My question is what is function of "Root CA Cert > Intermediate CA Cert (bundle of Sub CA) " for the whole chain? Can we directly use Server SSL ?

If I am a client, and I want to install SSL for my F5, what do I need to buy? buy certificate or key?
btanExec ConsultantCommented:
It is to build chain of trust where the check on the chain will be done to ascertain if we can trust the SSL server cert issue by the SubCA and the latter's CA (or root CA).

Either do a self sign cert which you generate in F5 box, not recommended though. Instead, buy SSL cert which will come with the keys. The root CA and SubCA cert is free for download. The issuer which you buy from will direct you with steps to download.

Thereafter the file you gotten from the 3rd party issuer will probably be a PEM file and yiu can import to your SSL profile. The step shared in the link in past post will guide.

Client SSL - see the key (required), certificate (refer to cert bundle amd root CA) and chain explanation. F5 box is serving the client browser as a server hence it requires the key and certificate.


Server SSL - certificate and key are optional unless you are doing two way ssl in which F5 is a client to the server it is connecting to.

Yes, you can use just the cert ssl, the reason to include the chain root ca, and intermediate deals with assisting connecting clients see the certificate as valid in the event the remote client does not have either root ca or intermediate ca in their system referenced or included as trusted.

Think of it this way, the server certificate identifies the server, let's say similar to a driver license.
Unless you trust the validity/issuer of the displayed driver license, you need further proof that the driver license us authentic and not forged/fake. The root ca/intermediate Ca certs acts as confirming/authenticating the authenticity/validity of the server cert.

With that said, a client connects to the server and during the connection neotiation, the server presents its certificate, the client if it has either/both server cert issuing CAs (root ca or intermediate ca as trusted) the action will proceed.... Without further delay, if the client does not, the certificate chain the certificate from the server included, would help the client authenticate/validate that the server cert is valid and ....

Merely including your certificate's root ca, intermediate issuing ca is not the final word.
I.e. If you setup your own CAs, as suggested, unless tge fluent accepts and sets your root ca, intermediate Ca certs as trusted, connections to the server will always prompt the user with a warning message that the authententicity of the certificate can not be validated allowing the client to accept the validity once, or by trusting the chain of certs, permanently (until the expiration of the root ca(

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
If using 3rd party CA, you can check out one example GoDaddy steps for F5 LTM.


Actually there is also public key pinning to give that extra assurance on top of rhe trust check discussed.
When Do You Pin?
You should pin anytime you want to be relatively certain of the remote host's identity or when operating in a hostile environment. Since one or both are almost always true, you should probably pin all the time.

F5 irule can add HTTP header for thia


For info
A website operator can choose to either pin the root certificate public key of a particular root certificate authority, allowing only that certificate authority (and all intermediate authorities signed by its key) to issue valid certificates for the website's domain, and/or to pin the key(s) of one or more intermediate issuing certificates, or to pin the end-entity public key.
eemoonAuthor Commented:
Thank you so much for your explanation, especially the good example that you gave(driver license) to understand it. Here is thing that I am not sure:

There are several sites in which F5 are located for the same website (maybe there there several servers behind them in different locations). do we need several certificates or just one? and its key? Do the client(user PC) need the same certificate and key? and the servers also need the certificate and key?
btanExec ConsultantCommented:
Either you consider buying a UCC cert with multiple site inside the single cert SAN, otherwise wildcard cert that covers all subdomain. So still one ssl cert for multiple website in ine F5 box or those boxes fronting these websites.

The client machine just need the root and intermediate CA bundle. The server ssl and key are in the F5  box. Client browser will prompt warning if those root cert and sub CA cert is not in the machine store but the user can just click trust and move forward thereafter.
To answer the question, more information is needed.
There might be more sites behind the F5 that are accessed in an unencrypted, the certificate is only used for secure access (encrypted) to a site represented.

The certificate on the F5 terminates (SSL connection from client to f5) the f5 the load balances the traffic between/among the servers that serve up the site/s.
eemoonAuthor Commented:
server ----- F5 ----- client

server ----- client

the above are two topology
F5 box is serving the client browser as a server hence it requires the key and certificate.

Can I say the F5 represents the server to contact the client through ssl certificate and key(first topology)? Without the F5(second topology), the certificate and key would need to move to the server, right?
Usually, the glow is in bound, so you have F5 as an application accelerator where files/data that changes are retrieved from the server, while static data, images, template settings, etc. are residing on the cache (F5) storage....
This maximizes responsiveness/pergormance while minimizing the resource hits on the server.

Yes, if F5 is not in the mix, the certificate/private key would need to be installed on the server and the server web binding will need to be updated to listen on port 443 as well as security settings to make sure either the entire site is accessed via a secure connection or a specific directory can only be accessed via a secure connection, I.e. The "store" where cc or other data where sensitive data is exchanged.
eemoonAuthor Commented:
Thank you so much.
It looks like that certificate/key is per website behavioral, for example, if the F5/server hold 10 websites, the F5/server need 10 certificate/key, right? but in users' side, their PC just just need to install the same "root CA and SubCA cert", can i say like that?
Yes, that is correct for sites requiring secure communication.
Btan, provided an alternative that you can have/get a single certificate that includes multiple name
Subject Name Alternative deals with the certificate being valid for

Though usually, the domains/hostnames are related
Webmail.mydomain.com, etc.
eemoonAuthor Commented:
Thank you all. I already have these basic concept. The post is very long and already answered many questions. I should stop here and i am going to start another new post for my next question. Thank you again!
eemoonAuthor Commented:
Can I say,  if we want " CA root cert ----- intermediate cert ----- client cert" to work, the chain should exist in both server and client PC?
btanExec ConsultantCommented:
yes - for both CA root cert ----- intermediate cert in server (must) and client (warning if missing but can still proceed to access). The client cert is for client machine and not server. The latter just check if the client cert's CA and int.cert is in its store
eemoonAuthor Commented:
Very good. Do you think if client PC have two ways to get certificate? One is that client himself install it in the PC.
Second is that administer install it on F5. when the client access the F5/server, it can automatically install it to the client PC
btanExec ConsultantCommented:
export & import into client or self install upon prompt
eemoonAuthor Commented:
Thank you btan
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.