Solved

Server Certificate, Windows 2008 r2

Posted on 2014-01-26
7
630 Views
Last Modified: 2014-01-28
Hi..

I am having Win 2008 R2 Standalone CA.
i want to issue server certificate for F5 BIG-IP and also for internal server.
i am little unclear what are the key usage must select.
I see some certificate form public domain sites..having idea of DIGITAL Signature, Key Encipherment, Data  Encipherment.
Can someone help whats need to be selected.
BIG-IP will be front facing to the Internet.

Regards,
Sasi.
0
Comment
Question by:Skumar_CCSA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39810968
so the only people accessing this F5 VIP is clients within your own domain that have the win2k8 CA root or intermediate cert installed?  If not then its pointless to create a private/public key pair and have your CA create a certificate with the public key generated.
0
 

Author Comment

by:Skumar_CCSA
ID: 39810982
Basically F5 BIG IP has virtual server running on it which will be configured with public IP for clients. I basically need cert for device and also for virtual server.
Looking help .....
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39811008
F5 generating SSL key pair:
http://support.f5.com/kb/en-us/solutions/public/7000/300/sol7388.html

However I wouldn't have the CSR signed by your CA.  If you are having anyone on the internet accessing this then you should have it signed by Verisign or someone like them otherwise the clients won't trust the certificate and its as good as have a self-signed cert.

BTW, the only thing I would change in those instructions is instead of doing a 1024 key, do a 2048 bit key.  1024 bit keys are not recommended anymore.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:Skumar_CCSA
ID: 39811015
True thanks.....
I have noticed another problem.
I have created self sing certificate, after I do this and bind the certificate still I am getting certification .
0
 
LVL 81

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 100 total points
ID: 39811107
Self signed certificates are not trusted since when we go up the certificates tree It will end at your machine and you do not have a trusted certificate authority matching your machine in its trusted root or intermediate certificate issuing authority store.  The certicate authority has set issuing policies and you have to prove to them that you are who you represent you to be to them and then they will issue the certificate. I'd suggest that you view http://www.youtube.com/watch?v=G14m_BjTwXk and especially http://vimeo.com/tag:briankomar
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 400 total points
ID: 39811917
Here's a very brief summary for how certificates work (sorry still working on my article on this topic).

1) create private/public key pair (common name is most important, but make sure all fields are as accurate as possible)
2) create a CSR (certificate signing request).  You submit this to whatever CA that you want to have your public key signed by.  You will need to submit a little more data, but not much more
3) They give you a server certificate
4) install the private key and public server certificate into the server/F5.  You may also need to install the root and intermediate certificates of the org that signed your server cert and link them together for cert chaining reasons

When the client connects, most clients validate a few main items:
1) Date of validity - valid date range cert is considered valid to be used
2) Chain of trust - is your cert signed by an org I trust
3) common name (CN) or subject alternative names (SANs) - domain name used to connect to site

self-signed certs are by definition signed by the server that created it.  Thus you basically have to say you trust the person that gave you the cert.  Most of the time this isn't a recommended form of doing certificate trust.  The vast majority of the time, browsers (already coming with trust for Verisign, Entrust, etc.) will like to see the server cert retrieved signed by an already trusted org otherwise you'll get the error you're seeing.  

This is why I asked if only people in your company that you have admin responsibility over are accessing the site or anyone.  If anyone, you should get it signed by a professional certificate signing organization. If only your company, then sign it by your CA but make sure to get your CA's root/intermediate certificates installed into all of the computers.  That way you won't get those warnings/errors.
0
 

Author Closing Comment

by:Skumar_CCSA
ID: 39816669
Thanks..
problem solved.
0

Featured Post

Office 365 Training for Admins

Learn how to provision tenants, synchronize on-premise Active Directory, and implement Single Sign-On with these master level course.  Only from Platform Scholar

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I will show you HOW TO: Install VMware Tools for Windows on a VMware Windows virtual machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, using the VMware Host Client. The virtual machine has Windows Server 2016 instal…
There are many software programs on offer that will claim to magically speed up your computer. The best advice I can give you is to avoid them like the plague, because they will often cause far more problems than they solve. Try some of these "do it…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question