Forum Discussion
NimbostratusCan't use encrypted key with passhrase on SSL Forward Proxy
When creating a clientssl profile, I'm attempting to use an encrypted CA key with the SSL Forward proxy setting enabled. I'm using self created CA cert/key pair with the key being encrypted. I've tried both the CLI and web-based gui and get the same error.
This seems to work just fine with an unencrypted key, but when requiring a passphrase, I get this error no matter how I try to set the key/passphrase. In the example below, I've added the passphrase before the key, thinking that might work. Nothing works however.
user@(f51)(cfg-sync Changes Pending)(Active)(/Common)(tmos.ltm.profile.client-ssl) list clientssl-wildcardssl
ltm profile client-ssl clientssl-wildcardssl {
app-service none
cert wildcard.domain.com.crt
cert-extension-includes { basic-constraints key-usage subject-alternative-name }
defaults-from clientssl
key wildcard.domain.com.key
proxy-ca-passphrase
}
user@(f51)(cfg-sync Changes Pending)(Active)(/Common)(tmos.ltm.profile.client-ssl) modify clientssl-wildcardssl ssl-forward-proxy enabled proxy-ca-key internal-ca.key proxy-ca-cert internal-ca.crt
01070313:3: Error reading SSL forward proxy CA key PEM file /config/filestore/files_d/Common_d/certificate_key_d/:Common:internal-ca.key_30132_1 for profile /Common/clientssl-wildcardssl: error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib
2 Replies
- Kevin_Stewart
Employee
Have you done the following?
-
Import encrypted private key, set password, and set Security Type to "Password"
-
Import the public certificate
-
In the SSL Forward Proxy section of the client SSL profile, apply the CA certificate and key, and specify the CA passphrase
-
Chris_Everest_1Yes, I did all those things. I did verify that the security type was set to 'password' before attemping to use them in the 'SSL Forward Proxy' section of my client ssl profile.
