Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Server Certificate, Windows 2008 r2

Posted on 2014-01-26
7
Medium Priority
?
641 Views
Last Modified: 2014-01-28
Hi..

I am having Win 2008 R2 Standalone CA.
i want to issue server certificate for F5 BIG-IP and also for internal server.
i am little unclear what are the key usage must select.
I see some certificate form public domain sites..having idea of DIGITAL Signature, Key Encipherment, Data  Encipherment.
Can someone help whats need to be selected.
BIG-IP will be front facing to the Internet.

Regards,
Sasi.
0
Comment
Question by:Skumar_CCSA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39810968
so the only people accessing this F5 VIP is clients within your own domain that have the win2k8 CA root or intermediate cert installed?  If not then its pointless to create a private/public key pair and have your CA create a certificate with the public key generated.
0
 

Author Comment

by:Skumar_CCSA
ID: 39810982
Basically F5 BIG IP has virtual server running on it which will be configured with public IP for clients. I basically need cert for device and also for virtual server.
Looking help .....
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39811008
F5 generating SSL key pair:
http://support.f5.com/kb/en-us/solutions/public/7000/300/sol7388.html

However I wouldn't have the CSR signed by your CA.  If you are having anyone on the internet accessing this then you should have it signed by Verisign or someone like them otherwise the clients won't trust the certificate and its as good as have a self-signed cert.

BTW, the only thing I would change in those instructions is instead of doing a 1024 key, do a 2048 bit key.  1024 bit keys are not recommended anymore.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:Skumar_CCSA
ID: 39811015
True thanks.....
I have noticed another problem.
I have created self sing certificate, after I do this and bind the certificate still I am getting certification .
0
 
LVL 83

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 300 total points
ID: 39811107
Self signed certificates are not trusted since when we go up the certificates tree It will end at your machine and you do not have a trusted certificate authority matching your machine in its trusted root or intermediate certificate issuing authority store.  The certicate authority has set issuing policies and you have to prove to them that you are who you represent you to be to them and then they will issue the certificate. I'd suggest that you view http://www.youtube.com/watch?v=G14m_BjTwXk and especially http://vimeo.com/tag:briankomar
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 1200 total points
ID: 39811917
Here's a very brief summary for how certificates work (sorry still working on my article on this topic).

1) create private/public key pair (common name is most important, but make sure all fields are as accurate as possible)
2) create a CSR (certificate signing request).  You submit this to whatever CA that you want to have your public key signed by.  You will need to submit a little more data, but not much more
3) They give you a server certificate
4) install the private key and public server certificate into the server/F5.  You may also need to install the root and intermediate certificates of the org that signed your server cert and link them together for cert chaining reasons

When the client connects, most clients validate a few main items:
1) Date of validity - valid date range cert is considered valid to be used
2) Chain of trust - is your cert signed by an org I trust
3) common name (CN) or subject alternative names (SANs) - domain name used to connect to site

self-signed certs are by definition signed by the server that created it.  Thus you basically have to say you trust the person that gave you the cert.  Most of the time this isn't a recommended form of doing certificate trust.  The vast majority of the time, browsers (already coming with trust for Verisign, Entrust, etc.) will like to see the server cert retrieved signed by an already trusted org otherwise you'll get the error you're seeing.  

This is why I asked if only people in your company that you have admin responsibility over are accessing the site or anyone.  If anyone, you should get it signed by a professional certificate signing organization. If only your company, then sign it by your CA but make sure to get your CA's root/intermediate certificates installed into all of the computers.  That way you won't get those warnings/errors.
0
 

Author Closing Comment

by:Skumar_CCSA
ID: 39816669
Thanks..
problem solved.
0

Featured Post

The Ideal Solution for Multi-Display Applications

Check out ATEN’s VS1912 12-Port DP Video Wall Media Player at InfoComm 2017. Kerri describes how easy it is to design creative video walls in asymmetric layouts and schedule detailed playlists ahead of time with its advanced scheduling feature.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever visit a website where you spotted a really cool looking Font, yet couldn't figure out which font family it belonged to, or how to get a copy of it for your own use? This article explains the process of doing exactly that, as well as showing how…
By default Outlook 2016 displays only one time zone in the Calendar. The following article explains how to display two time zones in one calendar view.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question