Implementing SSL Orchestrator - Certificate Considerations

Introduction This article is part of a series on implementing BIG-IP SSL Orchestrator. It includes high availability and central management with BIG-IQ. Implementing SSL/TLS Decryption is not a tri...
Published Jan 09, 2020
Version 1.0
BIG-IP
certificate
csr
decryption
private key
security
series-big-ip-ssl-orchestrator
SSL Orchestrator
dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Jan 31, 2020

Hi,

 - Mariusz, thanks for info. Sure Off-line CRL Signing and CRL Signing are not required here - just copied values from my intermediate CA, I am lazy man šŸ™‚

What puzzles me here is if it is really required or is rather best practice to be in line with PKI related standards. I am 99% sure that in my lab tests I used default key/cert (this one sure is not set with CA Basic Constraints) and that SSLO was still able to create forged site certs - but maybe I am wrong.

 

I would as well gladly hear why MS CA guys hate CSRs generated via BIG-IP GUI??? Any particular reasons for that? Not once created CSR via GUI and signed it with my MS CA (as well as TinyCA), no issues here. Did it as well using MS CA web app (CertSrv) - no problem with that.

As far as I understand how signing CSR works it's up to CA to sign it with proper "flags" - Am I missing something here?

We even have API based integration used to sign BIG-IQ (I know it's not BIG-IP, but CSR generation process is not so much different) generated CSR via MS CA - works like a charm šŸ˜Ž

 

 Sure, at least I agree :-), hope my nit picking do not create impression that I do not appreciate all your hard work put into creating this series - it quite opposite, in my opinion You did great work!!

Piotr