For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Sean_Powell's avatar
Sean_Powell
Icon for Nimbostratus rankNimbostratus
Apr 07, 2016

Can't Import SSL Certificate Bundle and Key with iControl via PowerShell

Hi,

 

I'm trying to automate the CSR and SSL Certificate import processes via iControl with Powrshell. I can generate and export the CSR/Key without issue, and I can import a Key/single certificate without issue using the following code:

 

$key_pem = get-content $key_path -raw;
$crt_pem = get-content $cert_path -raw;
(Get-F5.iControl).ManagementKeyCertificate.Key_import_from_pem("MANAGEMENT_MODE_DEFAULT",$url,$key_pem,1);
(Get-F5.iControl).ManagementKeyCertificate.certificate_import_from_pem("MANAGEMENT_MODE_DEFAULT",$url,$crt_pem,1);

However, the code fails and I get a 'Keys do not match' error when I try to import the certificate when it's bundled with the intermediate and root certificates. The import process works fine using the Admin UI, so I am guessing iControl isn't properly matching the certificate in the bundle with the key.

 

Can anyone give me an idea how to work around this?

 

Thanks!

 

devops
iControl
LTM

1 Reply

  • Sean_Powell's avatar
    Sean_Powell
    Icon for Nimbostratus rankNimbostratus
    Apr 14, 2016

    The work-around is to import the certificate and intermediate bundle as separate files, and assign both to the SSL Profile.

    So, instead of using this for a certificate / intermediate bundle: 

    LocalLBProfileClientSSL.set_key_certificate_file( $ProfileName, (, $Key), (, $Cert) )

    You use this instead, adding the second step. 

    LocalLBProfileClientSSL.set_key_certificate_file( $ProfileName, (, $Key), (, $Cert) );
    LocalLBProfileClientSSL.set_chain_file_v2( $ProfileName, (, $Chain) );