Using root certs for validation instead of using VIP certs for validation

Document ID : KB000111981
Last Modified Date : 23/08/2018
Show Technical Document Details
Question:
To verify our backend we are currently uploading the public certificate from F5 VIPs by searching for it in manage certificate. We were recently told that it is a concern and should be using certificate authority (CA) root cert to validate all backend F5 VIPs instead. Can we validate the VIPs only using only the certificate authority (CA) root cert?
Answer:
APIM is SSL Client you only need root CA and all it’s intermediate CA in the chain
 
Additional Information:
Verified this with other support engineers also ran the following test

ONLY root CA mcqst02d7510.ca.com Certificate installed CA Gateway in Trusted Certificates – with Certificate is a Trusted Anchor checked
Created Web Service with
Route via HTTP(s) to https://test.ssosites.com
 
Accessed SSL and NON SSL through GW – Successful no SSL errors, verified proper key exchanged via packet capture as well
 
http://mcqst02-ssg930-4.ssosites.com:8080/test1
 
https://mcqst02-ssg930-4.ssosites.com:8443/test1
 
Managed Certificates:  Installed rootCA trusted Anchor
 


Snippet RootCA to WebServer

commonName=mcqst02d7510.ca.com--> commonName=test.ssosites.com

Secure Sockets Layer
    TLSv1.2 Record Layer: Handshake Protocol: Certificate
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 2995
        Handshake Protocol: Certificate
            Handshake Type: Certificate (11)
            Length: 2991
            Certificates Length: 2988
            Certificates (2988 bytes)
                Certificate Length: 1441
                Certificate: 3082059d30820385020101300d06092a864886f70d01010b... (pkcs-9-at-emailAddress=mcqst02@ca.com,id-at-commonName=test.ssosites.com,id-at-organizationalUnitName=Support,id-at-organizationName=CA,id-at-localityName=Maynard,id-at-stat
                Certificate Length: 1541
                Certificate: 30820601308203e9a003020102020900d46b66b785a9ca64... (pkcs-9-at-emailAddress=mcqst02@ca.com,id-at-commonName=mcqst02d7510.ca.com,id-at-organizationalUnitName=Support,id-at-organizationName=CA,id-at-localityName=Framingham,id-at