Forum Discussion
mbamusa_59409
Nimbostratus
NimbostratusBad Character In SSL Cert.
Dear All ,
I trying to configure a SSL-Clent Profiles but when type the Pass Phrase it gives me BAD CHARACTER error .
Pass Phrase contains $ is this sign is not allowed in Pass Phrases on LTM ?
if yes it's not allowed is there any work around for this or i have to change the Pass Phrase?
WAITING FOR YOUR KIND RESPONSE
Thank you
m. bamusa
hooleylistCirrostratus
Hi,
I believe the only non-alphanumeric characters you can enter for an SSL key passphrase are:
period, asterisk, forward slash, dash, colon, underscore, question mark, equals, at sign, comma, ampersand and space (.*/-:_?=@,& )
If you want to keep a passphrase on the SSL key, you can remove it and add a new one that complies with this list of characters:
http://www.openssl.org/docs/apps/rsa.html
Change the existing passphrase from a key, my_encrypted.key
openssl rsa -des3 -in /config/ssl/ssl.key/original_encrypted.key -out /config/ssl/ssl.key/updated_encrypted.key
Aaron
mbamusa_59409Dear Hoolio,
Thank you very much for your kind replay ,
I Opened a case with F5 Support and I got the following replay , i tried it and it works fine :
This is a GUI issue which will be solved in the next major release of our software (v11). In the meantime, we can enter the passphrase via the commandline, there are no character restictions. Here is the procedure:
- Create the client ssl profile with any accepted passphrase.
- Via the command line, edit the /config/bigip.conf file
- Identify the profile section in the file (see an example below).
- Between the following braces, you will find the encrypted passphrase.
For example:
profile clientssl NicSSL {
defaults from clientssl
key "NicCert.key"
cert "NicCert.crt"
ca file "NicCA.crt"
client cert ca "NicCA.crt"
passphrase "$M$dd$4S7mOWS//HijBz9V/7/mmA==" << passphrase
peer cert mode require
authenticate always
}
- Modify it to include your valid passphrase
profile clientssl NicSSL {
defaults from clientssl
key "NicCert.key"
cert "NicCert.crt"
ca file "NicCA.crt"
client cert ca "NicCA.crt"
passphrase "hello$$$hello"
peer cert mode require
authenticate always
}
- You can now load the configuration. You will then be able to test the ssl profile.
b load
- The password is still in cleartext in the /config/bigip.conf file. This isn't very secure. Save the config, the passphrase will be saved encrypted.
b save
- Double check the file /config/bigip.conf to make sure the passphrase is now encrypted
grep passphrase /config/bigip.conf
THANK YOU
M. Bamusa
rangara10_75278Or....doing it with a bigpipe command updates it straight in memory, which will then save it encrypted onto the bigip.conf file when you sync or do a b save.
Just saved a step...:)
b profile clientssl NicSSL '{
defaults from clientssl
key "NicCert.key"
cert "NicCert.crt"
ca file "NicCA.crt"
client cert ca "NicCA.crt"
passphrase "hello$$$hello"
peer cert mode require
authenticate always
}'
Of course this will no longer work in v11 with the removal of bigpipe.