We're getting close (hopefully) to rolling out our PAN boxes and I'm working on getting together information to pass up the chain on features like SSL Decryption and SSL certificate security.
I've got a few questions concerning best practices on certification generation on the PAN boxes and how the certs are used:
Hope that all makes sense? I've been reading up on the articles and the tech notes but I wasn't able to find anything to clarify these questions.
1. RSA is good for backward compatibility, but ECDSA is higher security and newer tech. If your users are largely going to be clients using browsers, I'd opt for ECDSA.
2. Either is fine, there is no functional difference. Some admins prefer to separate the duties of the certificates (finer control but more management) and others prefer simplicity. There is no difference at all. It's worth saying that you can use a public CA for the GP gateway and portal as long as you're using hostnames instead of IPs, and that makes the deployment easier as there's nothing needed to push to the clients.
3. I'd push both. There's no reason to not include every CA in the chain when pushing it. However, if your GP portal & gateway certs are signed by a public CA you won't need to push anything to the clients as they'll automatically trust them.
Thanks for the reply gwesson.
Has anyone run into any issues using ECDSA? And has anyone encountered any real-world performance issues by using the higher bits and/or better digests?
While playing around with ECDSA generation this morning I noticed the Forward Trust and Forward Untrust are greyed out and not selectable even when the cert is a CA and Trusted Root CA. Is SSL Forwrad Proxy decryption not supported with ECDSA certs? I'm currently using the 7.1.6 release.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!