Applies To:

Show Versions Show Versions

Manual Chapter: Working with the OpenSSL Utility
Manual Chapter
Table of Contents   |   << Previous Chapter

4.
Generate a client certificate with or without the LDAP CRL distribution point. Note that you must use OpenSSL 0.9.8.x or a newer version to generate certificates with embedded distribution points that are dirname-based addresses. (dirname is a utility that strips off the trailing part of a file name, and the result is the path name of the directory that contains the file.)
To generate the client certificate with the LDAP CRL distribution point, use the openssl x509 command, as in the following example:
openssl x509 -req -in auser1.req -out auser1.crt \ -CAkey bigmirror-ca.key -CA bigmirror-ca.crt \
-days 300 -CAcreateserial -CAserial serial \ -extensions crl_ext -extfile bigmirror-ca.ext
To generate the client certificate without the LDAP CRL distribution point, use the openssl x509 command, as in the following example:
openssl x509 -req -in auser1.req -out auser1.crt \ -CAkey bigmirror-ca.key -CA bigmirror-ca.crt \
-days 300 -CAcreateserial -CAserial serial
openssl pkcs12 -export -in auser1.crt -inkey \ auser1.key -out auser1.p12 -name "auser1 pkcs12"
If you want to generate the certificate with the LDAP CRL distribution point, use the openssl x509 command, as in the following example:
openssl x509 -req -in www.test.net.req -out \ www.test.net.crt -CAkey bigmirror-ca.key -CA \ bigmirror-ca.crt -days 300 -CAcreateserial \
-CAserial serial -extensions crl_ext \
-extfile bigmirror-ca.ext
If you want to generate the certificate without the LDAP CRL distribution point, use the openssl x509 command, as in the following example:
openssl x509 -req -in www.test.net.req \
-out www.test.net.crt -CAkey bigmirror-ca.key -CA bigmirror-ca.crt -days 300 -CAcreateserial \
-CAserial serial
You can use the OpenSSL utility to create a certificate revocation list (CRL). The BIG-IP system checks a CRL to see if a client or server certificate being presented for authentication has been revoked.
echo -e \ 'default_ca=ca\n[ca]\ndatabase=index.txt\nserial=serial' > bigmirror-ca.config
openssl ca -config bigmirror-ca.config -gencrl -crldays \ 30 -keyfile bigmirror-ca.key -cert bigmirror-ca.crt \
-out bigmirror-ca.crl
Revoke a client certificate, using the openssl command from the BIG-IP system prompt. For example, to revoke the client certificate auser1.crt:
openssl ca -config bigmirror-ca.config -keyfile \ bigmirror-ca.key -cert bigmirror-ca.crt -revoke auser1.crt
Note: When you are using the CRLDP authentication module, you must ensure that the CRLs are stored in a remote LDAP database, and in ASN.1 DER format (Abstract Syntax Notation.1 Distinguished Encoding Rules).
There are a number of other SSL-certificate-related tasks that you can perform, using the OpenSSL utility. You access this utility from the BIG-IP system prompt.
Table of Contents   |   << Previous Chapter

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)