Bad Character In SSL Cert.

Hi,

 

 

I believe the only non-alphanumeric characters you can enter for an SSL key passphrase are:

 

 

period, asterisk, forward slash, dash, colon, underscore, question mark, equals, at sign, comma, ampersand and space (.*/-:_?=@,& )

 

 

If you want to keep a passphrase on the SSL key, you can remove it and add a new one that complies with this list of characters:

 

 

http://www.openssl.org/docs/apps/rsa.html

 

Change the existing passphrase from a key, my_encrypted.key

 

openssl rsa -des3 -in /config/ssl/ssl.key/original_encrypted.key -out /config/ssl/ssl.key/updated_encrypted.key

 

 

Aaron

Dear Hoolio,

 

 

Thank you very much for your kind replay ,

 

 

I Opened a case with F5 Support and I got the following replay , i tried it and it works fine :

 

 

This is a GUI issue which will be solved in the next major release of our software (v11). In the meantime, we can enter the passphrase via the commandline, there are no character restictions. Here is the procedure:

 

 

- Create the client ssl profile with any accepted passphrase.

 

- Via the command line, edit the /config/bigip.conf file

 

- Identify the profile section in the file (see an example below).

 

- Between the following braces, you will find the encrypted passphrase.

 

 

For example:

 

 

profile clientssl NicSSL {

 

defaults from clientssl

 

key "NicCert.key"

 

cert "NicCert.crt"

 

ca file "NicCA.crt"

 

client cert ca "NicCA.crt"

 

passphrase "$M$dd$4S7mOWS//HijBz9V/7/mmA==" << passphrase

 

peer cert mode require

 

authenticate always

 

}

 

 

- Modify it to include your valid passphrase

 

 

profile clientssl NicSSL {

 

defaults from clientssl

 

key "NicCert.key"

 

cert "NicCert.crt"

 

ca file "NicCA.crt"

 

client cert ca "NicCA.crt"

 

passphrase "hello$$$hello"

 

peer cert mode require

 

authenticate always

 

}

 

 

- You can now load the configuration. You will then be able to test the ssl profile.

 

 

b load

 

 

- The password is still in cleartext in the /config/bigip.conf file. This isn't very secure. Save the config, the passphrase will be saved encrypted.

 

 

b save

 

 

- Double check the file /config/bigip.conf to make sure the passphrase is now encrypted

 

 

 

grep passphrase /config/bigip.conf

 

 

THANK YOU

 

 

M. Bamusa

 

Or....doing it with a bigpipe command updates it straight in memory, which will then save it encrypted onto the bigip.conf file when you sync or do a b save.

 

 

Just saved a step...:)

 

 

b profile clientssl NicSSL '{

 

defaults from clientssl

 

key "NicCert.key"

 

cert "NicCert.crt"

 

ca file "NicCA.crt"

 

client cert ca "NicCA.crt"

 

passphrase "hello$$$hello"

 

peer cert mode require

 

authenticate always

 

}'

 

 

Of course this will no longer work in v11 with the removal of bigpipe.