For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Implementing SSL Orchestrator - Certificate Considerations

Introduction This article is part of a series on implementing BIG-IP SSL Orchestrator. It includes high availability and central management with BIG-IQ. Implementing SSL/TLS Decryption is not a tri...
Published Jan 09, 2020
Version 1.0
BIG-IP
certificate
csr
decryption
private key
security
series-big-ip-ssl-orchestrator
SSL Orchestrator
KevinGallaugher's avatar
Icon for Employee rankEmployee
Technical Marketing Engineer for SSL Orchestrator. I have over 25 years experience in Cybersecurity, with over 15 years spent as a Technical Marketing Engineer. Prior to F5 I worked at Blue Coat, Gigamon and Fortinet.
View Profile
KevinGallaugher's avatar
Icon for Employee rankEmployee
Technical Marketing Engineer for SSL Orchestrator. I have over 25 years experience in Cybersecurity, with over 15 years spent as a Technical Marketing Engineer. Prior to F5 I worked at Blue Coat, Gigamon and Fortinet.
View Profile
xRes's avatar
xRes
Icon for Cirrus rankCirrus
Jan 30, 2020

Hi Piotr

Just to share some thoughts: seems to me that we need at least those 3 flags:

• Digital Signature key usage (digitalSignature)

• Certificate Signing key usage (keyCertSign)

• CA Basic Constraint set to TRUE

These should be enough.

 

Apart from that - I see this sentence "Using OpenSSL (...) is not preferred but may be appropriate for a demo or testing purposes. This information is provided as a courtesy" - thats interesting, I think that using F5 GUI to generate CSR is a bad idea and has always been, guys from MS CA seem to hate that - I have always been forced by them to use openssl (usually by utilizing preconfigured config file as you cannot do everything by simply running openssl via CLI). Wonder if you have other experience about that.

 

Regards

Mariusz