Implementing SSL Orchestrator - Certificate Considerations
Hi,
- Mariusz, thanks for info. Sure Off-line CRL Signing and CRL Signing are not required here - just copied values from my intermediate CA, I am lazy man 🙂
What puzzles me here is if it is really required or is rather best practice to be in line with PKI related standards. I am 99% sure that in my lab tests I used default key/cert (this one sure is not set with CA Basic Constraints) and that SSLO was still able to create forged site certs - but maybe I am wrong.
I would as well gladly hear why MS CA guys hate CSRs generated via BIG-IP GUI??? Any particular reasons for that? Not once created CSR via GUI and signed it with my MS CA (as well as TinyCA), no issues here. Did it as well using MS CA web app (CertSrv) - no problem with that.
As far as I understand how signing CSR works it's up to CA to sign it with proper "flags" - Am I missing something here?
We even have API based integration used to sign BIG-IQ (I know it's not BIG-IP, but CSR generation process is not so much different) generated CSR via MS CA - works like a charm 😎
Sure, at least I agree :-), hope my nit picking do not create impression that I do not appreciate all your hard work put into creating this series - it quite opposite, in my opinion You did great work!!
Piotr