RobM's avatar
RobM
Icon for Cirrus rankCirrus
Mar 17, 2022
Status:
Accepted

CSRs generated from the web UI could include Entended Key Usage requests.

I generated CSRs using the web gui to send to our CA, to replace new device certs.  The new certs came back without the client-auth Extended Key Usage attribute set.  The documentation is quite clear that it must be, so it's my fault for not communicating that to the CA.  But if the CSR had included that EKU in the Requested Extensions, then I wouldn't have had to remember (at least, if my CA honored the request...)

5 Comments

Sort By
  • LiefZimmerman's avatar
    LiefZimmerman
    Icon for Admin rankAdmin
    Mar 17, 2022
    Status changed:
    New
    to
    Investigating

    RobM - thanks for the suggestion. I will do some digging and see where this lands.

    Cheers,
    Lief

  • buulam's avatar
    buulam
    Icon for Admin rankAdmin
    Mar 17, 2022

    Hey RobM , after some digging, we determined this has not been filed as a Request for Enhancement yet. This is a great use case, though and we could take this further by having a Request for Enhancement to track this. This process would involve opening a case with F5 Support and asking for an "RFE" and providing a description of the enhancement and the use case it addresses.

    Before that, if you haven't already, I would suggest speaking with the F5 Solutions Engineer for your account. They'll be familiar with the RFE process and can help with properly filing it.

    If you're unfamiliar with who your F5 Solutions Engineer is for your account, please PM me and I can help you track them down.

    Thanks,

    Buu

  • LiefZimmerman's avatar
    LiefZimmerman
    Icon for Admin rankAdmin
    Mar 17, 2022
    Status changed:
    Investigating
    to
    Accepted

    RobM - What buulam said is the best next steps for the meat of your request.

    But there is a meta-aspect to this request that I will handle on DevCentral.
    1) I'll put in some language on the Suggestions page and editor indicating how to make a Request For Enhancement of a product.

    2) I'll put similar language in our HELP section.

    I'm going to mark your suggestion as ACCEPTED for the purposes of the clarifications I'll make to DevCentral - the RFE process Buu outlined will decide on that request separately.

    Thanks for helping us make the product (and the community site) better.
    Lief

    ☘️

  • Anjuli_Lam's avatar
    Anjuli_Lam
    Icon for Employee rankEmployee
    Mar 29, 2022

    RobM Thank you for submitting this feedback about the GUI. 

    Note that if you use the BIG-IP command line, you can include EKU extensions in your certificate request. However, the certificate authority that signs your request determines the extensions to add and can choose not to copy your requested extensions. 

    For more information about using the BIG-IP command line, refer to these recently updated articles:

  • RobM's avatar
    RobM
    Icon for Cirrus rankCirrus
    Mar 29, 2022

    Thanks Anjuli.  I've added that link to the doco for our ops team.