You should never be afraid of your CA bundle…
Had a fun issue and an F5 LTM didn’t automagically select the proper CA bundle, and another device on the long walk to egress didn’t either.
According to the Geotrust Certificate Checker: “The issuer of the following certificate is not supported by the certificate installation checker” WHAT?!? I used the proper cert and I installed the bundle, why wasn’t it working?? What was even more confusing, was that Chrome and IE8 had no complaints. Only FireFox and Geotrust had a problem with the certs.
Evidently, the LTM and the intermediate devices were not sending the proper chain certs to the client. While the serial numbers on the intermediate certs matched, something was bad wrong in the middle. My guess is that the F5 was automatically selecting the wrong chain.
Openssl’s CLI toolset saved the day.
openssl verify -verbose -CAfile /path/to/CA-BUNDLE.crt /path/to/CERT.crt
Swapping around the CA bundle in the above line, I was able to find the proper one. I tied the SSL profile to this one specifically in the F5 and the other devices and it all ‘just worked’.