Implementing SSL Orchestrator - Certificate Considerations
Hi Piotr
Just to share some thoughts: seems to me that we need at least those 3 flags:
• Digital Signature key usage (digitalSignature)
• Certificate Signing key usage (keyCertSign)
• CA Basic Constraint set to TRUE
These should be enough.
Apart from that - I see this sentence "Using OpenSSL (...) is not preferred but may be appropriate for a demo or testing purposes. This information is provided as a courtesy" - thats interesting, I think that using F5 GUI to generate CSR is a bad idea and has always been, guys from MS CA seem to hate that - I have always been forced by them to use openssl (usually by utilizing preconfigured config file as you cannot do everything by simply running openssl via CLI). Wonder if you have other experience about that.
Regards
Mariusz