Forum Discussion
Fawad_29089
Nimbostratus
NimbostratusExchange Certificates on LTM
Hi,
I need some information for the installation of Public SSL certificates on F5 for Exchange. We will be using Single Virtual IP Address for all Exchange Services. So the certificate type I am thinking of using is Subject Alternate Name Certificate (SAN) – single certificate. I will generate one request each from the two LTM devices.
This is the document I am referring to for creating of Certificate Request. http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11438.html .
We are doing SSL offloading on Exchange so all client SSL requests will terminate on F5 – which is pretty much the standard procedure.
•Do we need to generate certificate request on Exchange Servers as well?
•Is there any requirement to import Exchange Servers Certificates on F5 for each service?
After reading some documents and online forums I got this indication that the only device that requires certificate is F5 if you are doing SSL offloading. Let me know if this correct! How is your implementation for certificates?
Thanks,
Fawad Alam
nitassEmployee
Do we need to generate certificate request on Exchange Servers as well?no, one certificate/key is enough.
Is there any requirement to import Exchange Servers Certificates on F5 for each service?certificate and key are in PEM format or PKCS12 format (begining in 10.1.0).
After reading some documents and online forums I got this indication that the only device that requires certificate is F5 if you are doing SSL offloading. yes, it is correct.
Fawad_29089Thanks for the reply!
So it means that the only place where I need certificate is F5 and there is no need to generate certificate request from Exchange and also no need to import any Exchange certificate from Exchange on F5.Is this correct?
- nitassSo it means that the only place where I need certificate is F5 and there is no need to generate certificate request from Exchange actually, you can create CSR on either bigip or exchange server. after getting certificate from CA, you are able to use it anywhere e.g. bigip, exchange server, etc.
also no need to import any Exchange certificate from Exchange on F5if you have certificate (and private key) already on exchange server, you do not need to create a new CSR. what you have to do is to copy the certificate (and key) from exchange to bigip. on exchange server, you have choice to run either http or https. in case of https, you are able to use the same certificat (and key) as bigip or you can create a new self-signed certificate (and key).
hope this helps. - Fawad_29089I have few more questions regarding certificates:
1. Is device certificate has anything to do with the SSL certificate for Exchange? SHould I have a device certificate for each LTM device (Pri/Backup)?
2. How do you generate CSR for device certificate? How is the Key request generated? I guess I have to send both of them to CA.
3. I have to generate SSL SAN certificate CSR for Exchange? How do I generate Key along with this?
4. Do I need to have both Device Certificate and SSL certificate for it to work properly?
5. Is the Key for Device Certificate same as the Key for SSL certificate?
Thanks, - nitass1. Is device certificate has anything to do with the SSL certificate for Exchange?no
2. How do you generate CSR for device certificate? How is the Key request generated? I guess I have to send both of them to CA.only CSR is sent to CA.
there is information regarding device certificate in the sol below.
sol8187: Troubleshooting BIG-IP device certificates (9.x - 10.x)
http://support.f5.com/kb/en-us/solutions/public/8000/100/sol8187.html
3. I have to generate SSL SAN certificate CSR for Exchange? How do I generate Key along with this?i understand key is created on step 7 in the sol (sol11438) you mentioned.
sol11438: Creating SSL SAN certificates and CSRs (9.x - 11.0.0)
http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11438/
4. Do I need to have both Device Certificate and SSL certificate for it to work properly?i understand only ssl certificate.
5. Is the Key for Device Certificate same as the Key for SSL certificate?i think so. all are public key infrastructure.
hope this helps. - John_Matlock_42Hi Fawad,
The Device Certificate is completely seperate from anything having to do with the Exchange certificates. The Device Certificate is the SSL certificate which is used to encrypt management traffic where needed-- for instance, when connecting https to the F5s web management interface.
To expand on Nitass' responses a bit...
2. How do you generate CSR for device certificate? How is the Key request generated? I guess I have to send both of them to CA.
Honestly, the self signed Device Certificate which comes on the F5 by default is good enough for most purposes. If you have an internal CA you can generate a CSR for the hostname you've given the device and just import the cert/key.
3. I have to generate SSL SAN certificate CSR for Exchange? How do I generate Key along with this?
The private key is generated in step 7 and is saved to the file name you provide with the "-keyout" parameter. When you receive the certificate back from the CA, you'll import both the key and certificate into the F5s certificate store and create an SSL profile.
Do I need to have both Device Certificate and SSL certificate for it to work properly?
No, these items are seperate.
5. Is the Key for Device Certificate same as the Key for SSL certificate?
They're the same in that they're PKI keys, but the keys will be different as they are generated when a CSR is created.
I hope this helps.
John