Certificate chain validation has been enhanced for all outbound connections:

  • The entire certificate chain sent by remote servers is verified back to the trusted signing Certificate Authority (CA).
  • For OCSP servers, the certificate must also contain the OCSP Signing purpose (id-kp 9 with OID 1.3.6.1.5.5.7.3.9) in the extendedKeyUsage field.

In all cases, the appropriate certificates for chain of trust validation will need to be uploaded to the LoadMaster certificate store.