Forum Discussion
elastic_82555
Nimbostratus
NimbostratusCannot Renew Certifcate and private key ( but keep the same name in F5 config )
Hi, Am trying to renew the wildcard certificate for our main domain. The CSR is generated elsewhere ( ie not on the F5 ), and have the cert/key from a CA already. The current certificate/key is in use. Trying to update either the certificate or the key, results in the F5 complaining that the key does not match the certificate or vice versa.
So, several workarounds to do this would be to delete the certificate/key pair and recreate, or add the certificate/key under a new name. Either one involoves enourmous pain, as the certificate is used by hundreds of iApps ( coding involved ). Does anyone have an alternate suggestion. Seems I cannot be the only person with this issue, but so far as I can find, it seems like a unique problem?
Help or suggestions appreciated
error message v11.4
01070313:3: Error reading key PEM file /config/filestore/files_d/Common_d/certificate_key_d/:Common:star.mydomain.com.key_12345_1 for profile /Common/myapp.app/myapp_as_client-ssl: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
So another option could be that you create a new certificate and key pair, and then manually edit /config/bigip.conf and replace every instance of the previous certificate and key with the new certificate and key in each of your SSL profiles. Once done, perform a 'tmsh load sys config'. This might also be a bit tedious, but less so than doing it by clicking through the GUI.
Cory_50405Noctilucent
Have you tried just deleting either the key or the certificate, and then importing the new one that you didn't delete? For example, delete the certificate, then import the new key, then import the new certificate.
afedden_1985Cirrus
did you try adding the new Certificate and key as a new pair? Then apply it to the in-use ssl profile? I can't see how you could update the existing certificate and key when its in use and neither the new key or Cert would match the old one that still needs to be changed.
EmadCirrostratus
The best way is to use a new name for key and certificate and update key&certificate in ssl profile. in this way ssl profile name would remain same.
elastic_82555Cory, Deleting key or cert is not possible, as they are in use. So, F5 ( by design ) does not let you do this.
afedden, Yes, you can do this, but, and here is maybe a design issue for me, all my iApps use a different ssl profile. So, every iApp has a unique ssl profile ( maybe not my finiest moment of design ). So, maybe there is where the uniqueness of my issue comes. I opted to have one ssl profile per iApp. Now I have several hundred iApps and several hundred ssl profiles. Yes, seems crazy now written down, and hindsight is a wonderfull thing, but the basic issue, is a simple change of certificate/key has turned into a pretty major change affecting every iAPP.
- Cory_50405
So another option could be that you create a new certificate and key pair, and then manually edit /config/bigip.conf and replace every instance of the previous certificate and key with the new certificate and key in each of your SSL profiles. Once done, perform a 'tmsh load sys config'. This might also be a bit tedious, but less so than doing it by clicking through the GUI.
- elastic_82555
Cory, That sounds like a good option. I particularly dislike leaving old keys around, but once the change is done, then I could delete them. In fact, once I do the above, then I could reimport the new new cert/key combo and use the old name, and then do the same search and replace and delete the new name. An odd way to do things, but quite workable.
all else fails, this seems like a good option. thanks
- Cory_50405Be sure to back up your bigip.conf file just in case something goes awry.
- elastic_82555
Hi, Here is the process.
Background reading, http://support.f5.com/kb/en-us/solutions/public/14000/600/sol14620.html14- Backup bigip.conf
- import new cert/key into F5 via gui named - samenamecert170414 - ie same name but with date added on end
- reconfig one iApp to use new cert/key
- edit bigip.conf search/replace samenamecert.key and samenamecert.crt to samenamecert170414.key and samenamecert170414.crt respectively, except for 6 lines as follows, 3 for key and 3 for crt
sys file ssl-cert /Common/samenamecert.crt { cache-path /config/filestore/files_d/Common_d/certificate_d/:Common:samenamecert.crt_67272_1 ( this number will be different ) revision 1 source-path /config/ssl/ssl.crt/samenamecert.crt sys file ssl-key /Common/samenamecert.key { cache-path /config/filestore/files_d/Common_d/certificate_key_d/:Common:samenamecert.key_67268_1 ( this number will be different ) revision 1 source-path /config/ssl/ssl.key/samenamecert.key
-
Relaod the config tmsh load sys config
-
Delete original "samenamecert"
- import new cert/key into F5 via gui names - samenamecert - ie the original cert name
- reconfig one iApp to use samename cert/key ie back to the original name
- edit bigip.conf search/replace samenamecert170414.key and samenamecert179414.crt to samenamecert.key and samenamecert.crt respectively, except for 6 lines as follows, 3 for key and 3 for crt
sys file ssl-cert /Common/samenamecert170414.crt { cache-path /config/filestore/files_d/Common_d/certificate_d/:Common:samenamecert170414.crt_67272_1 ( this number will be different ) revision 1 source-path /config/ssl/ssl.crt/samenamecert170414.crt sys file ssl-key /Common/samenamecert170414.key { cache-path /config/filestore/files_d/Common_d/certificate_key_d/:Common:samenamecert170414.key_67268_1 ( this number will be different ) revision 1 source-path /config/ssl/ssl.key/samenamecert170414.key
- tmsh load sys config
- delete the samenamecert170414 cert/key
- Check the cert has the correct serial number. IMPORTANT! System ›› File Management : SSL Certificate List ›› samenamecert
- Check via a browser that you are getting the correct certificate served, taking a stastically valid sample of your affected domains/applications
- Job done.
Pretty simple really. All due to a certificate change. This should really be so much easier.
NB. Currently I have only done this on the standby node. I am awating permission to failover and do a replication. Will update as soon as...
- Cory_50405Your thoroughness and attention to detail is impressive.
- Emad_26973:)
- elastic_82555
Hi, Ok today I was able to flip over from active to standby. Synchronized both F5's after the flip from active to standy ( standby had the config changes ). On both F5's the certificate seems to be the correct one ( checking the serial number ). However all the VS's are still supplying the old certifcate ( verified by the old serial number still being present ). Have cleared browser caches, and indeed used a virgin vm with a browser, and yes the old certificate is still being served. Seems like something else needs to be done. Ideas welcomed. ( am looking into it at the moment )
- elastic_82555Hi, sorry folks, this was a false alarm, the process I discribed works exactly as is. Had some issues locally with old iApps that are no longer used ( DNS pointing to other F5 ). This was the reason for above comment, and maybe I should have done more testing before posting. Lesson learned. Anyway process all good, and both F5's working, with new certificate.
- Cory_50405Good to hear. Thanks for following up.
- nitass_89166
this is my testing. is it same as yours?
0. existing certificate and key root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.24.10:443 ip-protocol tcp mask 255.255.255.255 pool foo profiles { myclientssl { context clientside } tcp { } } source 0.0.0.0/0 source-address-translation { type automap } vs-index 17 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile client-ssl myclientssl ltm profile client-ssl myclientssl { app-service none cert-key-chain { one { cert one.crt key one.key } } defaults-from clientssl } 1. verify certificate from virtual server [root@ve11a:Active:In Sync] config echo | openssl s_client -connect 172.28.24.10:443 2>/dev/null | openssl x509 -noout -subject -issuer subject= /C=US/CN=one issuer= /C=US/CN=one 2. install new certificate and key root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) install sys crypto cert two from-local-file /var/tmp/two.crt root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) install sys crypto key two from-local-file /var/tmp/two.key 3. verify new certificate and key root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys crypto cert two.crt sys crypto cert two.crt { certificate-key-size 2048 city common-name two country US email-address expiration Apr 22 08:31:58 2015 GMT organization ou public-key-type RSA state subject-alternative-name } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys crypto key two.key sys crypto key two.key { key-size 2048 key-type rsa-private security-type normal } 4. save configuration root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) save sys config Saving running configuration... /config/bigip.conf /config/bigip_base.conf /config/bigip_user.conf Saving Ethernet mapping...done 5. manually modify bigip.conf ltm profile client-ssl /Common/myclientssl { app-service none cert-key-chain { one { cert /Common/two.crt key /Common/two.key } } defaults-from /Common/clientssl } 6. reload configuration root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) load sys config Loading system configuration... /defaults/asm_base.conf /defaults/config_base.conf /defaults/low_profile_base.conf /defaults/low_security_base.conf /defaults/policy_base.conf /defaults/wam_base.conf /defaults/analytics_base.conf /defaults/apm_saml_base.conf /defaults/app_template_base.conf /defaults/classification_base.conf /defaults/daemon.conf /defaults/fullarmor_gpo_base.conf /defaults/profile_base.conf /defaults/sandbox_base.conf /defaults/security_base.conf /defaults/urldb_base.conf /usr/share/monitors/base_monitors.conf Loading configuration... /config/bigip_base.conf /config/bigip_user.conf /config/bigip.conf 7. verify certificate from virtual server [root@ve11a:Active:In Sync] config echo | openssl s_client -connect 172.28.24.10:443 2>/dev/null | openssl x509 -noout -subject -issuer subject= /C=US/CN=two issuer= /C=US/CN=two- elastic_82555Hi, without being exhaustive it looks similar. However, the only way to identify new certs versus old is with the serial number/fingerprint, so command used locally... echo | openssl s_client -connect 10.1.2.11:443 2>&1|openssl x509 -noout -serial This should print out your serial number of your cert. Old and new certs should have different serial numbers
ishan4386_20603Same issue happened with me. I have deleted the key from F5 and then later import the key in F5. These time while uploading the certificate I used the same name of the Exported Private key. Previously while uploading the certificate I used a new Certificate name due to which this error happened.
nitassEmployee
this is my testing. is it same as yours?
0. existing certificate and key root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.24.10:443 ip-protocol tcp mask 255.255.255.255 pool foo profiles { myclientssl { context clientside } tcp { } } source 0.0.0.0/0 source-address-translation { type automap } vs-index 17 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile client-ssl myclientssl ltm profile client-ssl myclientssl { app-service none cert-key-chain { one { cert one.crt key one.key } } defaults-from clientssl } 1. verify certificate from virtual server [root@ve11a:Active:In Sync] config echo | openssl s_client -connect 172.28.24.10:443 2>/dev/null | openssl x509 -noout -subject -issuer subject= /C=US/CN=one issuer= /C=US/CN=one 2. install new certificate and key root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) install sys crypto cert two from-local-file /var/tmp/two.crt root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) install sys crypto key two from-local-file /var/tmp/two.key 3. verify new certificate and key root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys crypto cert two.crt sys crypto cert two.crt { certificate-key-size 2048 city common-name two country US email-address expiration Apr 22 08:31:58 2015 GMT organization ou public-key-type RSA state subject-alternative-name } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys crypto key two.key sys crypto key two.key { key-size 2048 key-type rsa-private security-type normal } 4. save configuration root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) save sys config Saving running configuration... /config/bigip.conf /config/bigip_base.conf /config/bigip_user.conf Saving Ethernet mapping...done 5. manually modify bigip.conf ltm profile client-ssl /Common/myclientssl { app-service none cert-key-chain { one { cert /Common/two.crt key /Common/two.key } } defaults-from /Common/clientssl } 6. reload configuration root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) load sys config Loading system configuration... /defaults/asm_base.conf /defaults/config_base.conf /defaults/low_profile_base.conf /defaults/low_security_base.conf /defaults/policy_base.conf /defaults/wam_base.conf /defaults/analytics_base.conf /defaults/apm_saml_base.conf /defaults/app_template_base.conf /defaults/classification_base.conf /defaults/daemon.conf /defaults/fullarmor_gpo_base.conf /defaults/profile_base.conf /defaults/sandbox_base.conf /defaults/security_base.conf /defaults/urldb_base.conf /usr/share/monitors/base_monitors.conf Loading configuration... /config/bigip_base.conf /config/bigip_user.conf /config/bigip.conf 7. verify certificate from virtual server [root@ve11a:Active:In Sync] config echo | openssl s_client -connect 172.28.24.10:443 2>/dev/null | openssl x509 -noout -subject -issuer subject= /C=US/CN=two issuer= /C=US/CN=two- elastic_82555Hi, without being exhaustive it looks similar. However, the only way to identify new certs versus old is with the serial number/fingerprint, so command used locally... echo | openssl s_client -connect 10.1.2.11:443 2>&1|openssl x509 -noout -serial This should print out your serial number of your cert. Old and new certs should have different serial numbers
- ishan4386_20603
Same issue happened with me. I have deleted the key from F5 and then later import the key in F5. These time while uploading the certificate I used the same name of the Exported Private key. Previously while uploading the certificate I used a new Certificate name due to which this error happened.