Forum Discussion
Question on CSR and SSL
Ok then. For the F5 part you can check K14620 (https://support.f5.com/csp/article/K14620). It even has a video for the full process. You can also see the video here: https://youtu.be/nCHi4aF5fWc.
Just one thing there: most browsers today consider certificates as unsafe when the Subject Alternative Name is not populated with the correct hostname, so when you create the CSR, be sure to also fill out the Subject Alternative Name field.
Let's say you are creating a certificate for the website "www.company.com". You would fill the Common Name field with "www.company.com" and the SAN field with "DNS:www.company.com". If you have aliases or other DNS names you want to use you can also use a SAN like "DNS:www.company.com, DNS:site.company.com, DNS:company.com".
Note that you don't need to export the private key from F5.
Now for the parts not covered in K14620...
1. Signing the CSR.
I like using openssl for the key/CSR/certificate checking, but honestly it's way easier to use a software like SimpleAuthority to create a CA and create or sign certificates. You can get it here: https://simpleauthority.com/
2. Making your own CA trusted in client machines
Export the public CA certificate to a PEM format or any other you prefer. In windows, click the file. Click the "Install Certificate..." button, it should open the "import certificate" wizard. Choose Current User or Local Machine. In the next step don't use the automatic option; force the certificate to be installed in the "Trusted Root Certification Authorities".
3a. Putting it all together v1 (full SSL offload)
Your Virtual Server will need at least 2 profiles: HTTP and Client-SSL. The client SSL profile will use the certificate and key you created, like explained in the article. If you're using plain HTTP on the server side, that's it.
3b. Putting it all together v2 (HTTPS in the backend)
Some organizations require full encryption also on server side. If this is the case you will also need a Server-SSL profile. You can use the default "serverssl", it'll gobble anything, including invalid certificates.
Mike
- NiteshSep 06, 2021Cirrus
I will do it all over again keeping above points in mind. Thankyou for taking out your precious time and replying.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com