Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 645
  • Last Modified:

Server Certificate, Windows 2008 r2

Hi..

I am having Win 2008 R2 Standalone CA.
i want to issue server certificate for F5 BIG-IP and also for internal server.
i am little unclear what are the key usage must select.
I see some certificate form public domain sites..having idea of DIGITAL Signature, Key Encipherment, Data  Encipherment.
Can someone help whats need to be selected.
BIG-IP will be front facing to the Internet.

Regards,
Sasi.
0
Skumar_CCSA
Asked:
Skumar_CCSA
  • 3
  • 3
2 Solutions
 
Cyclops3590Commented:
so the only people accessing this F5 VIP is clients within your own domain that have the win2k8 CA root or intermediate cert installed?  If not then its pointless to create a private/public key pair and have your CA create a certificate with the public key generated.
0
 
Skumar_CCSAAuthor Commented:
Basically F5 BIG IP has virtual server running on it which will be configured with public IP for clients. I basically need cert for device and also for virtual server.
Looking help .....
0
 
Cyclops3590Commented:
F5 generating SSL key pair:
http://support.f5.com/kb/en-us/solutions/public/7000/300/sol7388.html

However I wouldn't have the CSR signed by your CA.  If you are having anyone on the internet accessing this then you should have it signed by Verisign or someone like them otherwise the clients won't trust the certificate and its as good as have a self-signed cert.

BTW, the only thing I would change in those instructions is instead of doing a 1024 key, do a 2048 bit key.  1024 bit keys are not recommended anymore.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Skumar_CCSAAuthor Commented:
True thanks.....
I have noticed another problem.
I have created self sing certificate, after I do this and bind the certificate still I am getting certification .
0
 
David Johnson, CD, MVPOwnerCommented:
Self signed certificates are not trusted since when we go up the certificates tree It will end at your machine and you do not have a trusted certificate authority matching your machine in its trusted root or intermediate certificate issuing authority store.  The certicate authority has set issuing policies and you have to prove to them that you are who you represent you to be to them and then they will issue the certificate. I'd suggest that you view http://www.youtube.com/watch?v=G14m_BjTwXk and especially http://vimeo.com/tag:briankomar
0
 
Cyclops3590Commented:
Here's a very brief summary for how certificates work (sorry still working on my article on this topic).

1) create private/public key pair (common name is most important, but make sure all fields are as accurate as possible)
2) create a CSR (certificate signing request).  You submit this to whatever CA that you want to have your public key signed by.  You will need to submit a little more data, but not much more
3) They give you a server certificate
4) install the private key and public server certificate into the server/F5.  You may also need to install the root and intermediate certificates of the org that signed your server cert and link them together for cert chaining reasons

When the client connects, most clients validate a few main items:
1) Date of validity - valid date range cert is considered valid to be used
2) Chain of trust - is your cert signed by an org I trust
3) common name (CN) or subject alternative names (SANs) - domain name used to connect to site

self-signed certs are by definition signed by the server that created it.  Thus you basically have to say you trust the person that gave you the cert.  Most of the time this isn't a recommended form of doing certificate trust.  The vast majority of the time, browsers (already coming with trust for Verisign, Entrust, etc.) will like to see the server cert retrieved signed by an already trusted org otherwise you'll get the error you're seeing.  

This is why I asked if only people in your company that you have admin responsibility over are accessing the site or anyone.  If anyone, you should get it signed by a professional certificate signing organization. If only your company, then sign it by your CA but make sure to get your CA's root/intermediate certificates installed into all of the computers.  That way you won't get those warnings/errors.
0
 
Skumar_CCSAAuthor Commented:
Thanks..
problem solved.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now