07-24-2012 06:17 AM
Hi,
looking for explanation what is chaingroup and used for what .is this something related to wildcard ?
Thanks
Ajay
Solved! Go to Solution.
07-24-2012 08:48 AM
Just to chime on on this. A certifcate chain normally would look like this.
Root CA ---> Intermediate CA ---> Server Certificate
The root CA Signs the Intermediate CA and the Intermediate CA Signs the Certificate.
Assuming that the client browser has the Intermeidate and root CA's in its certificate store, the browser can authenticate the Server certificate. If the Root ca and the intermediate CA is not in the client certificate store, then the server certifcate cannot be authenticated. So to allow for this, you configure the ACE with a chaingroup that has the Root and any intermediate CAs in it. This will allow the ACE to pass the full certifcate chain to the client. Thus allowing the client to fully authenticate the server certificate.
Chris
07-24-2012 07:34 AM
Hello Ajay,
"The chaingroup feature under the ssl-proxy service is designed to give the additional
certificates beyond the server certificate.
For SSL termination, you need to have a minimum of a key and server cert defined/established in the
ssl-proxy service, then (optional) you can define a chaingroup.
The chaingroup would contain the certificate that signed the server cert and (optionally)
any additional certificates in the chain, up to the root."
Sometimes, some browsers require to have not only the key and server cert but also the rest of certificates of the chain
Please mark if it is useful
Hope, this helps.
Jorge
07-24-2012 07:53 AM
Hi Jorge,
I agree with your statement-
For SSL termination, you need to have a minimum of a key and server cert defined/established in the
ssl-proxy service.
However still not clear on chaingroup. what comes as a requirment to using chaingroup ? is it something multiple certs for same VIP or something else .
Thanks
Ajay
07-24-2012 08:02 AM
Hello Ajay,
It is something optional. Sometimes some browsers require to have the intermediate certificates besides the key and server cert, then that's where you configure the chaingroup to provide them to it.
Jorge
07-24-2012 08:48 AM
Just to chime on on this. A certifcate chain normally would look like this.
Root CA ---> Intermediate CA ---> Server Certificate
The root CA Signs the Intermediate CA and the Intermediate CA Signs the Certificate.
Assuming that the client browser has the Intermeidate and root CA's in its certificate store, the browser can authenticate the Server certificate. If the Root ca and the intermediate CA is not in the client certificate store, then the server certifcate cannot be authenticated. So to allow for this, you configure the ACE with a chaingroup that has the Root and any intermediate CAs in it. This will allow the ACE to pass the full certifcate chain to the client. Thus allowing the client to fully authenticate the server certificate.
Chris
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide