Forum Discussion

RobM's avatar
RobM
Icon for Cirrus rankCirrus
Mar 15, 2022
Solved

unsupported certificate error with device certificates

Hello All.  I'd appreciate some help debugging an issue with new device certificates, and communication between two of our f5s. We replaced the certs under Device Certificate Management, and each se...
security
ssl
  • RobM's avatar
    RobM
    Mar 16, 2022

    I believe that I may have worked this out, though I need a new cert, so I havent yet tested the solution.  The device cert that we received from our CA has the extended attribute:

                Extension (id-ce-extKeyUsage)
                Extension Id: 2.5.29.37 (id-ce-extKeyUsage)
                KeyPurposeIDs: 1 item
                    KeyPurposeId: 1.3.6.1.5.5.7.3.1 (id-kp-serverAuth)

    But this document: Overview of BIG-IP device certificates (11.x - 16.x) (f5.com) states:

    "SSL certificates signed by a third-party CA must include both the client authentication (clientAuth) and server authentication (serverAuth) extended key usage (EKU) extensions to allow use by both server and client applications."

    Which makes sense.  I checked the request generated by our device, and it doesn't specify any restriction - might be worth it specifically requesting both clientAuth and serverAuth - so apparently adding the restriction was our CAs idea.

RobM's avatar
RobM
Icon for Cirrus rankCirrus
Mar 16, 2022

I believe that I may have worked this out, though I need a new cert, so I havent yet tested the solution.  The device cert that we received from our CA has the extended attribute:

            Extension (id-ce-extKeyUsage)
                Extension Id: 2.5.29.37 (id-ce-extKeyUsage)
                KeyPurposeIDs: 1 item
                    KeyPurposeId: 1.3.6.1.5.5.7.3.1 (id-kp-serverAuth)

But this document: Overview of BIG-IP device certificates (11.x - 16.x) (f5.com) states:

"SSL certificates signed by a third-party CA must include both the client authentication (clientAuth) and server authentication (serverAuth) extended key usage (EKU) extensions to allow use by both server and client applications."

Which makes sense.  I checked the request generated by our device, and it doesn't specify any restriction - might be worth it specifically requesting both clientAuth and serverAuth - so apparently adding the restriction was our CAs idea.