Forum Discussion

RobM's avatar
Icon for Cirrus rankCirrus
Mar 15, 2022

unsupported certificate error with device certificates

Hello All.  I'd appreciate some help debugging an issue with new device certificates, and communication between two of our f5s. We replaced the certs under Device Certificate Management, and each se...
  • RobM's avatar
    Mar 16, 2022

    I believe that I may have worked this out, though I need a new cert, so I havent yet tested the solution.  The device cert that we received from our CA has the extended attribute:

                Extension (id-ce-extKeyUsage)
                    Extension Id: (id-ce-extKeyUsage)
                    KeyPurposeIDs: 1 item
                        KeyPurposeId: (id-kp-serverAuth)

    But this document: Overview of BIG-IP device certificates (11.x - 16.x) ( states:

    "SSL certificates signed by a third-party CA must include both the client authentication (clientAuth) and server authentication (serverAuth) extended key usage (EKU) extensions to allow use by both server and client applications."

    Which makes sense.  I checked the request generated by our device, and it doesn't specify any restriction - might be worth it specifically requesting both clientAuth and serverAuth - so apparently adding the restriction was our CAs idea.