Forum Discussion

Nitesh's avatar
Nitesh
Icon for Cirrus rankCirrus
Aug 12, 2021

Question on CSR and SSL

Please someone help me clear below doubt. Below is the scenario i am demonstrating in LAB. 1) I have generated CSR on LTM and provided to CA (CA is my Windows server 2012) 2)With the help of open S...
application delivery
BIG-IP
csr
ssl
SSL Orchestrator
Mike757's avatar
Mike757
Icon for MVP rankMVP
Aug 20, 2021

Hi Nitesh

 

I think you made some error here: "i generated public and private key pair and signed the CSR".

 

When you create a CSR, you do so based on a private key. If you created the CSR in BIG-IP, the private key is automatically created for you, and stored there.

 

If you create a public certificate based on a new private key you generated elsewhere, it will never match the private key stored in BIG-IP.

 

When you use public CAs, the whole point of using a CSR is that you don't ever have to share the private key. The concept here is similar - you provide the CSR so the CA signs it. No new private key is created.

 

About importing CA certificates to a test client, be aware that Firefox uses its own CA list. IE/Edge/Chrome use windows certificate store. You should import your CA certificate to either user or computer certificate store, under "Trusted Root Certification Authorities > Certificates".

 

Hope it helps.

 

Mike