Solved

Server Certificate, Windows 2008 r2

Posted on 2014-01-26
7
623 Views
Last Modified: 2014-01-28
Hi..

I am having Win 2008 R2 Standalone CA.
i want to issue server certificate for F5 BIG-IP and also for internal server.
i am little unclear what are the key usage must select.
I see some certificate form public domain sites..having idea of DIGITAL Signature, Key Encipherment, Data  Encipherment.
Can someone help whats need to be selected.
BIG-IP will be front facing to the Internet.

Regards,
Sasi.
0
Comment
Question by:Skumar_CCSA
  • 3
  • 3
7 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39810968
so the only people accessing this F5 VIP is clients within your own domain that have the win2k8 CA root or intermediate cert installed?  If not then its pointless to create a private/public key pair and have your CA create a certificate with the public key generated.
0
 

Author Comment

by:Skumar_CCSA
ID: 39810982
Basically F5 BIG IP has virtual server running on it which will be configured with public IP for clients. I basically need cert for device and also for virtual server.
Looking help .....
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39811008
F5 generating SSL key pair:
http://support.f5.com/kb/en-us/solutions/public/7000/300/sol7388.html

However I wouldn't have the CSR signed by your CA.  If you are having anyone on the internet accessing this then you should have it signed by Verisign or someone like them otherwise the clients won't trust the certificate and its as good as have a self-signed cert.

BTW, the only thing I would change in those instructions is instead of doing a 1024 key, do a 2048 bit key.  1024 bit keys are not recommended anymore.
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 

Author Comment

by:Skumar_CCSA
ID: 39811015
True thanks.....
I have noticed another problem.
I have created self sing certificate, after I do this and bind the certificate still I am getting certification .
0
 
LVL 79

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 100 total points
ID: 39811107
Self signed certificates are not trusted since when we go up the certificates tree It will end at your machine and you do not have a trusted certificate authority matching your machine in its trusted root or intermediate certificate issuing authority store.  The certicate authority has set issuing policies and you have to prove to them that you are who you represent you to be to them and then they will issue the certificate. I'd suggest that you view http://www.youtube.com/watch?v=G14m_BjTwXk and especially http://vimeo.com/tag:briankomar
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 400 total points
ID: 39811917
Here's a very brief summary for how certificates work (sorry still working on my article on this topic).

1) create private/public key pair (common name is most important, but make sure all fields are as accurate as possible)
2) create a CSR (certificate signing request).  You submit this to whatever CA that you want to have your public key signed by.  You will need to submit a little more data, but not much more
3) They give you a server certificate
4) install the private key and public server certificate into the server/F5.  You may also need to install the root and intermediate certificates of the org that signed your server cert and link them together for cert chaining reasons

When the client connects, most clients validate a few main items:
1) Date of validity - valid date range cert is considered valid to be used
2) Chain of trust - is your cert signed by an org I trust
3) common name (CN) or subject alternative names (SANs) - domain name used to connect to site

self-signed certs are by definition signed by the server that created it.  Thus you basically have to say you trust the person that gave you the cert.  Most of the time this isn't a recommended form of doing certificate trust.  The vast majority of the time, browsers (already coming with trust for Verisign, Entrust, etc.) will like to see the server cert retrieved signed by an already trusted org otherwise you'll get the error you're seeing.  

This is why I asked if only people in your company that you have admin responsibility over are accessing the site or anyone.  If anyone, you should get it signed by a professional certificate signing organization. If only your company, then sign it by your CA but make sure to get your CA's root/intermediate certificates installed into all of the computers.  That way you won't get those warnings/errors.
0
 

Author Closing Comment

by:Skumar_CCSA
ID: 39816669
Thanks..
problem solved.
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now