Implementing SSL Orchestrator - Certificate Considerations

Introduction This article is part of a series on implementing BIG-IP SSL Orchestrator. It includes high availability and central management with BIG-IQ. Implementing SSL/TLS Decryption is not a tri...
Published Jan 09, 2020
Version 1.0
BIG-IP
certificate
csr
decryption
private key
security
series-big-ip-ssl-orchestrator
SSL Orchestrator
xRes's avatar
xRes
Icon for Cirrus rankCirrus
Jan 30, 2020

Hi Piotr

Just to share some thoughts: seems to me that we need at least those 3 flags:

• Digital Signature key usage (digitalSignature)

• Certificate Signing key usage (keyCertSign)

• CA Basic Constraint set to TRUE

These should be enough.

 

Apart from that - I see this sentence "Using OpenSSL (...) is not preferred but may be appropriate for a demo or testing purposes. This information is provided as a courtesy" - thats interesting, I think that using F5 GUI to generate CSR is a bad idea and has always been, guys from MS CA seem to hate that - I have always been forced by them to use openssl (usually by utilizing preconfigured config file as you cannot do everything by simply running openssl via CLI). Wonder if you have other experience about that.

 

Regards

Mariusz