Back to Certificate Installation
F5 BIG-IPSSL/TLSTroubleshooting

F5 Certificate Chain Configuration

Fix "certificate not trusted" errors with proper chain setup.

12 min readDecember 2025
F5 Certificate Chain Configuration

The 30-Second Version

The problem: Your site works in Chrome but fails on mobile apps, older clients, or API integrations.

The cause: Missing intermediate certificate chain.

The fix: Import intermediate cert → Add to Client SSL Profile → Chain field in Certificate Key Chain.

F5's gotcha: If you specify the wrong chain, F5 silently sends NO chain at all.

Why Certificate Chains Matter

The Trust Problem

Browsers and clients don't automatically trust your certificate. They need a chain of trust connecting your certificate back to a root CA they already trust.

┌─────────────────────────────────────────┐
│         Root CA Certificate             │  ← Pre-installed in browsers/OS
│   (DigiCert, Sectigo, Let's Encrypt)    │     NOT sent by your server
└─────────────────────┬───────────────────┘
                      │ Signs
                      ▼
┌─────────────────────────────────────────┐
│     Intermediate CA Certificate         │  ← MUST be sent by your server
│                                         │     This is "the chain"
└─────────────────────┬───────────────────┘
                      │ Signs
                      ▼
┌─────────────────────────────────────────┐
│      Your Server Certificate            │  ← Sent by your server
│        (www.example.com)                │
└─────────────────────────────────────────┘

Why Some Clients Work Without the Chain

Modern browsers (Chrome, Firefox, Edge, Safari) will automatically fetch missing intermediate certificates using AIA (Authority Information Access) URLs embedded in your certificate.

But these clients DON'T auto-fetch:

Mobile apps
API clients (curl, Python, etc.)
Older browsers
IoT devices
Command-line tools
Load balancers
Monitoring systems

This is why your site "works in Chrome" but breaks everywhere else.

Where to Configure Chain in F5

The Right Place:

Client SSL Profile → Certificate Key Chain → Chain

NOT these (common mistakes):

  • Trusted Certificate Authorities (that's for client cert validation)
  • Client Certificate Constrained Delegation
  • A separate Server SSL profile

Local Traffic → Profiles → SSL → Client → [Your Profile]

┌─────────────────────────────────────────────────┐
│ Certificate Key Chain                           │
├─────────────────────────────────────────────────┤
│ Certificate: www.example.com_2025          [▼]  │ ← Your cert
│ Key:         www.example.com_2025          [▼]  │ ← Your key
│ Chain:       DigiCert_Intermediate         [▼]  │ ← CHAIN GOES HERE
└─────────────────────────────────────────────────┘

Step-by-Step Chain Configuration

Step 1: Get Your Intermediate Certificate

Download from your CA's website:

CAIntermediate Certificates Location
DigiCertdigicert.com/kb/digicert-root-certificates.htm
Sectigosectigo.com/knowledge-base/detail/Sectigo-Intermediate-Certificates
Let's Encryptletsencrypt.org/certificates/
GlobalSignsupport.globalsign.com/ca-certificates
GoDaddycerts.godaddy.com/repository

Step 2: Import the Intermediate Certificate

Path: System → Certificate Management → Traffic Certificate Management → SSL Certificate List → Import

  1. Click Import
  2. Import Type: Certificate (NOT Key)
  3. Certificate Name: DigiCert_Intermediate_2025 (or similar)
  4. Certificate Source: Upload or paste PEM content
  5. Click Import

Step 3: Add Chain to Client SSL Profile

Path: Local Traffic → Profiles → SSL → Client → [Your Profile]

  1. Select your Client SSL profile
  2. Under Certificate Key Chain, click on your existing entry (or Add new)
  3. In the Chain dropdown, select your imported intermediate certificate
  4. Click Update or Finished

Step 4: Verify Configuration

# Check that chain is being sent (should return 2 or more)
openssl s_client -connect your-vip:443 -servername your-domain.com 2>/dev/null | \
  grep -c "BEGIN CERTIFICATE"

# See the full chain
openssl s_client -connect your-vip:443 -servername your-domain.com -showcerts

F5's Silent Failure Mode

Critical Warning

If you specify a chain certificate that doesn't match your server certificate's issuer, F5 will silently send no chain at all.

How This Happens

  1. You had a DigiCert cert with DigiCert intermediate
  2. You renewed with Sectigo
  3. You updated the certificate but left the old DigiCert chain
  4. F5 sees the mismatch and sends nothing
  5. Chrome works (auto-fetches), mobile apps break

Detection

# Count certificates returned (should be 2+)
echo | openssl s_client -connect your-vip:443 -servername domain.com 2>/dev/null | \
  grep -c "BEGIN CERTIFICATE"

# If result is 1, your chain isn't being sent!

Common Causes

CauseWhat HappenedFix
CA changed intermediateCA updated their chain (common!)Download fresh intermediate from CA
Renewed with different CASwitched from DigiCert to SectigoImport new CA's intermediate
Wrong chain selectedTypo or wrong dropdown selectionVerify Chain matches certificate issuer
Chain bundle corruptedTruncated file or encoding issueRe-download from CA

Multiple Intermediate Certificates

Some CAs have a chain of multiple intermediates:

Root CA
  └── Intermediate CA 1
        └── Intermediate CA 2
              └── Your Certificate

Creating a Bundle

F5's Chain field accepts a single certificate OR a bundle. For multiple intermediates:

# Order: Your issuer first, then the next level up
cat intermediate2.crt intermediate1.crt > chain-bundle.crt

# Verify the bundle
openssl crl2pkcs7 -nocrl -certfile chain-bundle.crt | \
  openssl pkcs7 -print_certs -noout

Import the Bundle

  1. Import the bundle file as a single "certificate" in F5
  2. Select the bundle in the Chain field

Verifying Your Chain

Method 1: OpenSSL Command Line

# Full chain verification
openssl s_client -connect your-vip:443 -servername domain.com -showcerts

# You should see output like:
# Certificate chain
#  0 s:CN = www.example.com
#    i:CN = DigiCert SHA2 Extended Validation Server CA
#  1 s:CN = DigiCert SHA2 Extended Validation Server CA
#    i:CN = DigiCert High Assurance EV Root CA

# Verify chain is valid
openssl s_client -connect your-vip:443 -servername domain.com -verify_return_error

Method 2: SSL Labs

  1. Go to ssllabs.com/ssltest
  2. Enter your domain
  3. Look for Chain issues section
  4. Should show: "Chain issues: None"

Method 3: Certificate Chain Checker Tools

Troubleshooting Chain Issues

Problem: "Certificate not trusted" on mobile/API

Diagnosis:

# Check certificate count
openssl s_client -connect your-vip:443 -servername domain.com 2>/dev/null | \
  grep -c "BEGIN CERTIFICATE"
# If result is 1, chain is missing

Fix: Add intermediate certificate to Chain field in Client SSL profile.

Problem: Chain configured but still not sent

Diagnosis:

# Check if chain matches your certificate's issuer
openssl x509 -in your-cert.crt -noout -issuer
# Output: issuer=CN = DigiCert SHA2 Extended Validation Server CA

# Verify your chain certificate matches
openssl x509 -in your-chain.crt -noout -subject
# Output should match the issuer above

Fix: Download correct intermediate from CA that matches your certificate's issuer.

Problem: SSL Labs shows "Extra download"

This means the chain is incomplete but browsers can auto-fetch.

Fix: Add the missing intermediate. SSL Labs tells you exactly which one is missing.

Problem: SSL Labs shows "Contains anchor"

This means you're sending the root CA certificate (unnecessary).

Fix: Remove root CA from your chain bundle. Only include intermediates.

Chain Configuration - tmsh Commands

# View current chain configuration
tmsh list ltm profile client-ssl my-profile cert-key-chain

# Update chain in existing profile
tmsh modify ltm profile client-ssl my-profile \
  cert-key-chain replace-all-with { \
    entry1 { \
      cert my-certificate \
      key my-key \
      chain my-intermediate \
    } \
  }

# Verify the change
tmsh list ltm profile client-ssl my-profile cert-key-chain

# Save configuration
tmsh save sys config

Quick Reference - Which Certificate Goes Where

Certificate TypeF5 LocationPurpose
Your server certCertificate Key Chain → CertificateIdentity presented to clients
Your private keyCertificate Key Chain → KeyProves ownership of certificate
Intermediate CA cert(s)Certificate Key Chain → ChainBuilds trust path to root
Root CA certDON'T includeAlready in client trust stores
Client CA certsTrusted Certificate AuthoritiesFor validating client certs (mTLS)

Prevention Checklist

  • When installing new cert, always configure chain at the same time
  • After renewal, verify chain certificate still matches new cert's issuer
  • Test with openssl s_client after every certificate change
  • Set calendar reminder to check when CA intermediate expires
  • Document which intermediate goes with which certificate
  • Test from a mobile device, not just desktop browser

Frequently Asked Questions

Related Resources

F5 SSL Profiles Explained

Understand Client SSL and Server SSL profiles - foundation for all F5 certificate work.

F5 SSL Troubleshooting

Debug certificate not trusted, handshake failures, and wrong certificate issues.

Chain Builder Demo

Interactive tool to build and validate certificate chains before deploying.

CA Hierarchy & Chain of Trust

Learn how root CAs, intermediates, and end-entity certificates form trust chains.

How TLS Works

Complete guide to TLS handshakes, encryption, and certificate verification.

Certificate File Formats

PEM, DER, PFX, JKS - understand which format to use and how to convert.