Cannot Renew Certifcate and private key ( but keep the same name in F5 config )

Hi, Am trying to renew the wildcard certificate for our main domain. The CSR is generated elsewhere ( ie not on the F5 ), and have the cert/key from a CA already. The current certificate/key is ...

ASM Advanced WAF

devops

iApps

management

security

Cory_50405
Apr 16, 2014
So another option could be that you create a new certificate and key pair, and then manually edit /config/bigip.conf and replace every instance of the previous certificate and key with the new certificate and key in each of your SSL profiles. Once done, perform a 'tmsh load sys config'. This might also be a bit tedious, but less so than doing it by clicking through the GUI.

nitass

Employee

Apr 22, 2014

this is my testing. is it same as yours?

0. existing certificate and key

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.10:443
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        myclientssl {
            context clientside
        }
        tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 17
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile client-ssl myclientssl
ltm profile client-ssl myclientssl {
    app-service none
    cert-key-chain {
        one {
            cert one.crt
            key one.key
        }
    }
    defaults-from clientssl
}

1. verify certificate from virtual server

[root@ve11a:Active:In Sync] config  echo | openssl s_client -connect 172.28.24.10:443 2>/dev/null | openssl x509 -noout -subject -issuer
subject= /C=US/CN=one
issuer= /C=US/CN=one

2. install new certificate and key

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) install sys crypto cert two from-local-file /var/tmp/two.crt
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) install sys crypto key two from-local-file /var/tmp/two.key

3. verify new certificate and key

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys crypto cert two.crt
sys crypto cert two.crt {
    certificate-key-size 2048
    city
    common-name two
    country US
    email-address
    expiration Apr 22 08:31:58 2015 GMT
    organization
    ou
    public-key-type RSA
    state
    subject-alternative-name
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys crypto key two.key
sys crypto key two.key {
    key-size 2048
    key-type rsa-private
    security-type normal
}

4. save configuration

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) save sys config
Saving running configuration...
  /config/bigip.conf
  /config/bigip_base.conf
  /config/bigip_user.conf
Saving Ethernet mapping...done

5. manually modify bigip.conf

ltm profile client-ssl /Common/myclientssl {
    app-service none
    cert-key-chain {
        one {
            cert /Common/two.crt
            key /Common/two.key
        }
    }
    defaults-from /Common/clientssl
}

6. reload configuration

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) load sys config
Loading system configuration...
  /defaults/asm_base.conf
  /defaults/config_base.conf
  /defaults/low_profile_base.conf
  /defaults/low_security_base.conf
  /defaults/policy_base.conf
  /defaults/wam_base.conf
  /defaults/analytics_base.conf
  /defaults/apm_saml_base.conf
  /defaults/app_template_base.conf
  /defaults/classification_base.conf
  /defaults/daemon.conf
  /defaults/fullarmor_gpo_base.conf
  /defaults/profile_base.conf
  /defaults/sandbox_base.conf
  /defaults/security_base.conf
  /defaults/urldb_base.conf
  /usr/share/monitors/base_monitors.conf
Loading configuration...
  /config/bigip_base.conf
  /config/bigip_user.conf
  /config/bigip.conf

7. verify certificate from virtual server

[root@ve11a:Active:In Sync] config  echo | openssl s_client -connect 172.28.24.10:443 2>/dev/null | openssl x509 -noout -subject -issuer
subject= /C=US/CN=two
issuer= /C=US/CN=two

elastic_82555
Nimbostratus
Apr 22, 2014
Hi, without being exhaustive it looks similar. However, the only way to identify new certs versus old is with the serial number/fingerprint, so command used locally... echo | openssl s_client -connect 10.1.2.11:443 2>&1|openssl x509 -noout -serial This should print out your serial number of your cert. Old and new certs should have different serial numbers
ishan4386_20603
Nimbostratus
Apr 18, 2017
Same issue happened with me. I have deleted the key from F5 and then later import the key in F5. These time while uploading the certificate I used the same name of the Exported Private key. Previously while uploading the certificate I used a new Certificate name due to which this error happened.

Forum Discussion

Cannot Renew Certifcate and private key ( but keep the same name in F5 config )

Recent Discussions

Management IP F5 cant be accessed

ASD

Big-IP VE edition for MacBook M4 Chip

301 redirect and waf policy log problem

Background Tasks

Related Content

F5 Cloud Failover Extension (CFE), private endpoints, and custom DNS

Automate NetApp ONTAP Storage Management with Private and Secure API Governance

Using F5 Distributed Cloud private connectivity orchestration for secure multi-cloud infrastructure

BIG-IP Orchestrate in private Data Center using Terraform Cloud Agent

Using F5 Distributed Cloud Network Connect to transit, route, & secure private cloud environments

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS