Forum Discussion

Nitesh's avatar
Nitesh
Icon for Cirrus rankCirrus
Aug 12, 2021

Question on CSR and SSL

Please someone help me clear below doubt. Below is the scenario i am demonstrating in LAB. 1) I have generated CSR on LTM and provided to CA (CA is my Windows server 2012) 2)With the help of open S...
application delivery
BIG-IP
csr
ssl
SSL Orchestrator
Mike757's avatar
Mike757
Icon for MVP rankMVP

Ok then. For the F5 part you can check K14620 (https://support.f5.com/csp/article/K14620). It even has a video for the full process. You can also see the video here: https://youtu.be/nCHi4aF5fWc.

 

Just one thing there: most browsers today consider certificates as unsafe when the Subject Alternative Name is not populated with the correct hostname, so when you create the CSR, be sure to also fill out the Subject Alternative Name field.

 

Let's say you are creating a certificate for the website "www.company.com". You would fill the Common Name field with "www.company.com" and the SAN field with "DNS:www.company.com". If you have aliases or other DNS names you want to use you can also use a SAN like "DNS:www.company.com, DNS:site.company.com, DNS:company.com".

 

Note that you don't need to export the private key from F5.

 

Now for the parts not covered in K14620...

 

1. Signing the CSR.

I like using openssl for the key/CSR/certificate checking, but honestly it's way easier to use a software like SimpleAuthority to create a CA and create or sign certificates. You can get it here: https://simpleauthority.com/

 

2. Making your own CA trusted in client machines

Export the public CA certificate to a PEM format or any other you prefer. In windows, click the file. Click the "Install Certificate..." button, it should open the "import certificate" wizard. Choose Current User or Local Machine. In the next step don't use the automatic option; force the certificate to be installed in the "Trusted Root Certification Authorities".

 

3a. Putting it all together v1 (full SSL offload)

Your Virtual Server will need at least 2 profiles: HTTP and Client-SSL. The client SSL profile will use the certificate and key you created, like explained in the article. If you're using plain HTTP on the server side, that's it.

 

3b. Putting it all together v2 (HTTPS in the backend)

Some organizations require full encryption also on server side. If this is the case you will also need a Server-SSL profile. You can use the default "serverssl", it'll gobble anything, including invalid certificates.

 

Mike

Nitesh's avatar
Nitesh
Icon for Cirrus rankCirrus
Sep 06, 2021

 I will do it all over again keeping above points in mind. Thankyou for taking out your precious time and replying.