Solved

Server Certificate, Windows 2008 r2

Posted on 2014-01-26
7
634 Views
Last Modified: 2014-01-28
Hi..

I am having Win 2008 R2 Standalone CA.
i want to issue server certificate for F5 BIG-IP and also for internal server.
i am little unclear what are the key usage must select.
I see some certificate form public domain sites..having idea of DIGITAL Signature, Key Encipherment, Data  Encipherment.
Can someone help whats need to be selected.
BIG-IP will be front facing to the Internet.

Regards,
Sasi.
0
Comment
Question by:Skumar_CCSA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39810968
so the only people accessing this F5 VIP is clients within your own domain that have the win2k8 CA root or intermediate cert installed?  If not then its pointless to create a private/public key pair and have your CA create a certificate with the public key generated.
0
 

Author Comment

by:Skumar_CCSA
ID: 39810982
Basically F5 BIG IP has virtual server running on it which will be configured with public IP for clients. I basically need cert for device and also for virtual server.
Looking help .....
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39811008
F5 generating SSL key pair:
http://support.f5.com/kb/en-us/solutions/public/7000/300/sol7388.html

However I wouldn't have the CSR signed by your CA.  If you are having anyone on the internet accessing this then you should have it signed by Verisign or someone like them otherwise the clients won't trust the certificate and its as good as have a self-signed cert.

BTW, the only thing I would change in those instructions is instead of doing a 1024 key, do a 2048 bit key.  1024 bit keys are not recommended anymore.
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 

Author Comment

by:Skumar_CCSA
ID: 39811015
True thanks.....
I have noticed another problem.
I have created self sing certificate, after I do this and bind the certificate still I am getting certification .
0
 
LVL 82

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 100 total points
ID: 39811107
Self signed certificates are not trusted since when we go up the certificates tree It will end at your machine and you do not have a trusted certificate authority matching your machine in its trusted root or intermediate certificate issuing authority store.  The certicate authority has set issuing policies and you have to prove to them that you are who you represent you to be to them and then they will issue the certificate. I'd suggest that you view http://www.youtube.com/watch?v=G14m_BjTwXk and especially http://vimeo.com/tag:briankomar
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 400 total points
ID: 39811917
Here's a very brief summary for how certificates work (sorry still working on my article on this topic).

1) create private/public key pair (common name is most important, but make sure all fields are as accurate as possible)
2) create a CSR (certificate signing request).  You submit this to whatever CA that you want to have your public key signed by.  You will need to submit a little more data, but not much more
3) They give you a server certificate
4) install the private key and public server certificate into the server/F5.  You may also need to install the root and intermediate certificates of the org that signed your server cert and link them together for cert chaining reasons

When the client connects, most clients validate a few main items:
1) Date of validity - valid date range cert is considered valid to be used
2) Chain of trust - is your cert signed by an org I trust
3) common name (CN) or subject alternative names (SANs) - domain name used to connect to site

self-signed certs are by definition signed by the server that created it.  Thus you basically have to say you trust the person that gave you the cert.  Most of the time this isn't a recommended form of doing certificate trust.  The vast majority of the time, browsers (already coming with trust for Verisign, Entrust, etc.) will like to see the server cert retrieved signed by an already trusted org otherwise you'll get the error you're seeing.  

This is why I asked if only people in your company that you have admin responsibility over are accessing the site or anyone.  If anyone, you should get it signed by a professional certificate signing organization. If only your company, then sign it by your CA but make sure to get your CA's root/intermediate certificates installed into all of the computers.  That way you won't get those warnings/errors.
0
 

Author Closing Comment

by:Skumar_CCSA
ID: 39816669
Thanks..
problem solved.
0

Featured Post

[Webinar] How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Ever visit a website where you spotted a really cool looking Font, yet couldn't figure out which font family it belonged to, or how to get a copy of it for your own use? This article explains the process of doing exactly that, as well as showing how…
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Suggested Courses

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question