I generated CSRs using the web gui to send to our CA, to replace new device certs. The new certs came back without the client-auth Extended Key Usage attribute set. The documentation is quite clear that it must be, so it's my fault for not communicating that to the CA. But if the CSR had included that EKU in the Requested Extensions, then I wouldn't have had to remember (at least, if my CA honored the request...)
Hey @RobM , after some digging, we determined this has not been filed as a Request for Enhancement yet. This is a great use case, though and we could take this further by having a Request for Enhancement to track this. This process would involve opening a case with F5 Support and asking for an "RFE" and providing a description of the enhancement and the use case it addresses.
Before that, if you haven't already, I would suggest speaking with the F5 Solutions Engineer for your account. They'll be familiar with the RFE process and can help with properly filing it.
If you're unfamiliar with who your F5 Solutions Engineer is for your account, please PM me and I can help you track them down.
@RobM - What @buulam said is the best next steps for the meat of your request.
But there is a meta-aspect to this request that I will handle on DevCentral.
1) I'll put in some language on the Suggestions page and editor indicating how to make a Request For Enhancement of a product.
2) I'll put similar language in our HELP section.
I'm going to mark your suggestion as ACCEPTED for the purposes of the clarifications I'll make to DevCentral - the RFE process Buu outlined will decide on that request separately.
Thanks for helping us make the product (and the community site) better.
@RobM Thank you for submitting this feedback about the GUI.
Note that if you use the BIG-IP command line, you can include EKU extensions in your certificate request. However, the certificate authority that signs your request determines the extensions to add and can choose not to copy your requested extensions.
For more information about using the BIG-IP command line, refer to these recently updated articles:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.