Forum Discussion
NimbostratusCannot Renew Certifcate and private key ( but keep the same name in F5 config )
Hi, Am trying to renew the wildcard certificate for our main domain. The CSR is generated elsewhere ( ie not on the F5 ), and have the cert/key from a CA already. The current certificate/key is in use. Trying to update either the certificate or the key, results in the F5 complaining that the key does not match the certificate or vice versa.
So, several workarounds to do this would be to delete the certificate/key pair and recreate, or add the certificate/key under a new name. Either one involoves enourmous pain, as the certificate is used by hundreds of iApps ( coding involved ). Does anyone have an alternate suggestion. Seems I cannot be the only person with this issue, but so far as I can find, it seems like a unique problem?
Help or suggestions appreciated
error message v11.4
01070313:3: Error reading key PEM file /config/filestore/files_d/Common_d/certificate_key_d/:Common:star.mydomain.com.key_12345_1 for profile /Common/myapp.app/myapp_as_client-ssl: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
So another option could be that you create a new certificate and key pair, and then manually edit /config/bigip.conf and replace every instance of the previous certificate and key with the new certificate and key in each of your SSL profiles. Once done, perform a 'tmsh load sys config'. This might also be a bit tedious, but less so than doing it by clicking through the GUI.
20 Replies
nitass_89166Noctilucent
this is my testing. is it same as yours?
0. existing certificate and key root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.24.10:443 ip-protocol tcp mask 255.255.255.255 pool foo profiles { myclientssl { context clientside } tcp { } } source 0.0.0.0/0 source-address-translation { type automap } vs-index 17 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile client-ssl myclientssl ltm profile client-ssl myclientssl { app-service none cert-key-chain { one { cert one.crt key one.key } } defaults-from clientssl } 1. verify certificate from virtual server [root@ve11a:Active:In Sync] config echo | openssl s_client -connect 172.28.24.10:443 2>/dev/null | openssl x509 -noout -subject -issuer subject= /C=US/CN=one issuer= /C=US/CN=one 2. install new certificate and key root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) install sys crypto cert two from-local-file /var/tmp/two.crt root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) install sys crypto key two from-local-file /var/tmp/two.key 3. verify new certificate and key root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys crypto cert two.crt sys crypto cert two.crt { certificate-key-size 2048 city common-name two country US email-address expiration Apr 22 08:31:58 2015 GMT organization ou public-key-type RSA state subject-alternative-name } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys crypto key two.key sys crypto key two.key { key-size 2048 key-type rsa-private security-type normal } 4. save configuration root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) save sys config Saving running configuration... /config/bigip.conf /config/bigip_base.conf /config/bigip_user.conf Saving Ethernet mapping...done 5. manually modify bigip.conf ltm profile client-ssl /Common/myclientssl { app-service none cert-key-chain { one { cert /Common/two.crt key /Common/two.key } } defaults-from /Common/clientssl } 6. reload configuration root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) load sys config Loading system configuration... /defaults/asm_base.conf /defaults/config_base.conf /defaults/low_profile_base.conf /defaults/low_security_base.conf /defaults/policy_base.conf /defaults/wam_base.conf /defaults/analytics_base.conf /defaults/apm_saml_base.conf /defaults/app_template_base.conf /defaults/classification_base.conf /defaults/daemon.conf /defaults/fullarmor_gpo_base.conf /defaults/profile_base.conf /defaults/sandbox_base.conf /defaults/security_base.conf /defaults/urldb_base.conf /usr/share/monitors/base_monitors.conf Loading configuration... /config/bigip_base.conf /config/bigip_user.conf /config/bigip.conf 7. verify certificate from virtual server [root@ve11a:Active:In Sync] config echo | openssl s_client -connect 172.28.24.10:443 2>/dev/null | openssl x509 -noout -subject -issuer subject= /C=US/CN=two issuer= /C=US/CN=two
elastic_82555Hi, without being exhaustive it looks similar. However, the only way to identify new certs versus old is with the serial number/fingerprint, so command used locally... echo | openssl s_client -connect 10.1.2.11:443 2>&1|openssl x509 -noout -serial This should print out your serial number of your cert. Old and new certs should have different serial numbers
ishan4386_20603Same issue happened with me. I have deleted the key from F5 and then later import the key in F5. These time while uploading the certificate I used the same name of the Exported Private key. Previously while uploading the certificate I used a new Certificate name due to which this error happened.
- nitass
Employee
this is my testing. is it same as yours?
0. existing certificate and key root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.24.10:443 ip-protocol tcp mask 255.255.255.255 pool foo profiles { myclientssl { context clientside } tcp { } } source 0.0.0.0/0 source-address-translation { type automap } vs-index 17 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile client-ssl myclientssl ltm profile client-ssl myclientssl { app-service none cert-key-chain { one { cert one.crt key one.key } } defaults-from clientssl } 1. verify certificate from virtual server [root@ve11a:Active:In Sync] config echo | openssl s_client -connect 172.28.24.10:443 2>/dev/null | openssl x509 -noout -subject -issuer subject= /C=US/CN=one issuer= /C=US/CN=one 2. install new certificate and key root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) install sys crypto cert two from-local-file /var/tmp/two.crt root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) install sys crypto key two from-local-file /var/tmp/two.key 3. verify new certificate and key root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys crypto cert two.crt sys crypto cert two.crt { certificate-key-size 2048 city common-name two country US email-address expiration Apr 22 08:31:58 2015 GMT organization ou public-key-type RSA state subject-alternative-name } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys crypto key two.key sys crypto key two.key { key-size 2048 key-type rsa-private security-type normal } 4. save configuration root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) save sys config Saving running configuration... /config/bigip.conf /config/bigip_base.conf /config/bigip_user.conf Saving Ethernet mapping...done 5. manually modify bigip.conf ltm profile client-ssl /Common/myclientssl { app-service none cert-key-chain { one { cert /Common/two.crt key /Common/two.key } } defaults-from /Common/clientssl } 6. reload configuration root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) load sys config Loading system configuration... /defaults/asm_base.conf /defaults/config_base.conf /defaults/low_profile_base.conf /defaults/low_security_base.conf /defaults/policy_base.conf /defaults/wam_base.conf /defaults/analytics_base.conf /defaults/apm_saml_base.conf /defaults/app_template_base.conf /defaults/classification_base.conf /defaults/daemon.conf /defaults/fullarmor_gpo_base.conf /defaults/profile_base.conf /defaults/sandbox_base.conf /defaults/security_base.conf /defaults/urldb_base.conf /usr/share/monitors/base_monitors.conf Loading configuration... /config/bigip_base.conf /config/bigip_user.conf /config/bigip.conf 7. verify certificate from virtual server [root@ve11a:Active:In Sync] config echo | openssl s_client -connect 172.28.24.10:443 2>/dev/null | openssl x509 -noout -subject -issuer subject= /C=US/CN=two issuer= /C=US/CN=two- elastic_82555Hi, without being exhaustive it looks similar. However, the only way to identify new certs versus old is with the serial number/fingerprint, so command used locally... echo | openssl s_client -connect 10.1.2.11:443 2>&1|openssl x509 -noout -serial This should print out your serial number of your cert. Old and new certs should have different serial numbers
- ishan4386_20603
Same issue happened with me. I have deleted the key from F5 and then later import the key in F5. These time while uploading the certificate I used the same name of the Exported Private key. Previously while uploading the certificate I used a new Certificate name due to which this error happened.
Cyril_MAltostratus
Hi, what I would do in your case is 1- synchronize active and passive devices 2- use the passive device for your manipulation 3- force the passive device to "push config to group" and your main device will have the proper configuration
Regarding the step 2, if you want to use the GUI you'll have to delete the certificate & key, then recreate it with the same name ... Possible only if prior to this operation you removed the certificate from the SSL profiles that use it ... If it's too long using GUI you'll have to edit the bigip.conf and use "sed" to replace what you want to replace :)
cheers
