Exchange Certificates on LTM

Question

Hi,&nbsp;
I need some information for the installation of Public SSL certificates on F5 for Exchange. We will be using Single Virtual IP Address for all Exchange Services. So the certificate type I am thinking of using is Subject Alternate Name Certificate (SAN) – single certificate. I will generate one request each from the two LTM devices. 
&nbsp;This is the document I am referring to for creating of Certificate Request. http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11438.html .&nbsp;
&nbsp;We are doing SSL offloading on Exchange so all client SSL requests will terminate on F5 – which is pretty much the standard procedure. &nbsp;
&nbsp;•Do we need to generate certificate request on Exchange Servers as well? 
&nbsp;•Is there any requirement to import Exchange Servers Certificates on F5 for each service?&nbsp;
&nbsp;After reading some documents and online forums I got this indication that the only device that requires certificate is F5 if you are doing SSL offloading. Let me know if this correct! How is your implementation for certificates?&nbsp;
&nbsp;Thanks,
&nbsp;Fawad Alam&nbsp;&nbsp;

nitass · Answer

Do we need to generate certificate request on Exchange Servers as well?no, one certificate/key is enough. 
&nbsp;  
&nbsp; Is there any requirement to import Exchange Servers Certificates on F5 for each service?certificate and key are in PEM format or PKCS12 format (begining in 10.1.0). 
&nbsp;  
&nbsp; After reading some documents and online forums I got this indication that the only device that requires certificate is F5 if you are doing SSL offloading. yes, it is correct.

fawad_29089 · Answer

Thanks for the reply! &nbsp;
&nbsp; So it means that the only place where I need certificate is F5 and there is no need to generate certificate request from Exchange and also no need to import any Exchange certificate from Exchange on F5.&nbsp;&nbsp;&nbsp;
Is this correct?&nbsp;

nitass · Answer

So it means that the only place where I need certificate is F5 and there is no need to generate certificate request from Exchange actually, you can create CSR on either bigip or exchange server. after getting certificate from CA, you are able to use it anywhere e.g. bigip, exchange server, etc. 
&nbsp;  
&nbsp; also no need to import any Exchange certificate from Exchange on F5if you have certificate (and private key) already on exchange server, you do not need to create a new CSR. what you have to do is to copy the certificate (and key) from exchange to bigip. on exchange server, you have choice to run either http or https. in case of https, you are able to use the same certificat (and key) as bigip or you can create a new self-signed certificate (and key). 
&nbsp;  
&nbsp; hope this helps.

fawad_29089 · Answer

I have few more questions regarding certificates: 
&nbsp;  
&nbsp; 1. Is device certificate has anything to do with the SSL certificate for Exchange? SHould I have a device certificate for each LTM device (Pri/Backup)? 
&nbsp; 2. How do you generate CSR for device certificate? How is the Key request generated? I guess I have to send both of them to CA.  
&nbsp;  
&nbsp; 3. I have to generate SSL SAN certificate CSR for Exchange? How do I generate Key along with this?  
&nbsp; 4. Do I need to have both Device Certificate and SSL certificate for it to work properly?  
&nbsp; 5. Is the Key for Device Certificate same as the Key for SSL certificate? 
&nbsp;  
&nbsp; Thanks,

nitass · Answer

1. Is device certificate has anything to do with the SSL certificate for Exchange?no 
&nbsp;  
&nbsp; 2. How do you generate CSR for device certificate? How is the Key request generated? I guess I have to send both of them to CA.only CSR is sent to CA. 
&nbsp;  
&nbsp; there is information regarding device certificate in the sol below. 
&nbsp;  
&nbsp; sol8187: Troubleshooting BIG-IP device certificates (9.x - 10.x) 
&nbsp; http://support.f5.com/kb/en-us/solutions/public/8000/100/sol8187.html 
&nbsp;  
&nbsp; 3. I have to generate SSL SAN certificate CSR for Exchange? How do I generate Key along with this?i understand key is created on step 7 in the sol (sol11438) you mentioned. 
&nbsp;  
&nbsp; sol11438: Creating SSL SAN certificates and CSRs (9.x - 11.0.0)  
&nbsp; http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11438/ 
&nbsp;  
&nbsp; 4. Do I need to have both Device Certificate and SSL certificate for it to work properly?i understand only ssl certificate. 
&nbsp;  
&nbsp; 5. Is the Key for Device Certificate same as the Key for SSL certificate?i think so. all are public key infrastructure. 
&nbsp;  
&nbsp; hope this helps.

Forum Discussion

Recent Discussions

Related Content

Automating Certificate Management on F5 BIG-IP

Certificate Automation for BIG-IP using CyberArk Certificate Manager, Self-Hosted

Automating ACMEv2 Certificate Management on BIG-IP

LTM Certificate expire

Automate Let's Encrypt Certificates on BIG-IP