F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Faintly_Lucky's avatar
Faintly_Lucky
Icon for Nimbostratus rankNimbostratus
Dec 14, 2012

Cert and Key files are not in /config/ssl/ssl.* subdirectories after 11.x to 11.x upgrade

I've searched around Dev Central and the KB and can't find any info on this. Maybe I haven't used the right search parameters, but there it is.   After doing an upgrade from any 11.x version to an...
config
design
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Dec 18, 2012
The new locations are part of the CMI configuration in v11 (both for clustering and partitioning). As such, you need to use TMSH to move the files into the proper filesystem objects.

Here's a little shell script I wrote to copy/replace certs and keys in the filesystems. SCP the .p12 files up to a working directory and run this script from there. 


!/bin/bash
if [ "$1" != "" ]; then
    passwd=$1
     process .p12 files
    for g in *.p12
    do
          extract the name from the .p12 file
         pname=`echo $g |awk -F.p12 '{ print $1 }'`
 
          export the private key
         openssl pkcs12 -in $g -out $pname.key -nodes -clcerts -nocerts -passin pass:$passwd
 
          export the public key
         openssl pkcs12 -in $g -out $pname.crt -nodes -clcerts -nokeys -passin pass:$passwd
    done
 
     process exported certificates
    for f in *.crt
    do
          extract the name from the cert file
         fname=`echo $f |awk -F.crt '{ print $1 }'`
 
          delete the old ones first
         tmsh delete sys crypto cert $fname
         tmsh delete sys crypto key $fname
 
          import the cert and key
         tmsh install sys crypto cert $fname from-local-file $fname.crt
         tmsh install sys crypto key $fname from-local-file $fname.key
    done
    echo "Done"
else
    echo ""
    echo "Usage: certpush.sh <.p12 export password>"
    echo ""
fi