Forum Discussion
Brad_Weakly_101
Nimbostratus
Nimbostratuscertificate/key mismatch
I have been trying to create a self signed certificate for the Apache on the virtual server and import the key and certificate to the BIG-IP. But I keep get "Import Failed: Certificate/Key mismatch" error. Can anyone point out what is wrong in the following steps I followed?
1. Create a private key for Apache using
openssl genrsa -des3 -rand file1:file2:file3:file4:file5 -out server_f5.key 1024
2. Remove the pass-phrase from the key using
openssl rsa -in server.key -out server.pem
3. Generate the CSR using
openssl req -new -key server.key -out server.csr
4. modify the 40_mod_ssl.conf file to include the following configuration (I have also setup three apache virtual server on 10.40.13.1):
LoadModule ssl_module modules/mod_ssl.so
ServerAdmin ylin@doc.state.ne.us
DocumentRoot /var/www/localhost/htdocs
ServerName www.f5test.com
ScriptAlias /cgi-bin/ /usr/local/apache/share/htdocs/cgi-bin/
SSLEngine on
SSLCertificateFile /root/server_f5.crt
SSLCertificateKeyFile /root/ssl.key/server_f5.pem
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog /usr/local/apache/var/log/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
ServerAdmin ylin@doc.state.ne.us
DocumentRoot /var/www/localhost/htdocs
ServerName www.f5test1.com
ScriptAlias /cgi-bin/ /usr/local/apache/share/htdocs/cgi-bin/
SSLEngine on
SSLCertificateFile /root/server.crt
SSLCertificateKeyFile /root/ssl.key/server.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog /usr/local/apache/var/log/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
ServerAdmin ylin@doc.state.ne.us
DocumentRoot /var/www/localhost/htdocs
ServerName www.f5test2.com
ScriptAlias /cgi-bin/ /usr/local/apache/share/htdocs/cgi-bin/
SSLEngine on
SSLCertificateFile /root/server.crt
SSLCertificateKeyFile /root/ssl.key/server.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog /usr/local/apache/var/log/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
ServerAdmin ylin@doc.state.ne.us
DocumentRoot /var/www/localhost/htdocs
ServerName www.f5test3.com
ScriptAlias /cgi-bin/ /usr/local/apache/share/htdocs/cgi-bin/
SSLEngine on
SSLCertificateFile /root/server.crt
SSLCertificateKeyFile /root/ssl.key/server.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog /usr/local/apache/var/log/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"5. Add Include /etc/apache2/modules.d/40_mod_ssl.conf to httpd.conf on 10.40.13.1
6. restart the Apache on 10.40.13.1
7. On big-ip interface, copy the server.pem file content to the key import page. It worked.
8. On big-ip interface, copy the server.csr file content to the certificate import page, it says "Import Failed: Certificate/Key mismatch" error.
Any clue what I did wrong?
- The staff here really can't help you on this issue. iControl is our management API and this falls in to the category of a product related question that would need to go to F5 Product Technical Support.
-Joe 
Juha__Ranta_106
"8. On big-ip interface, copy the server.csr file content to the certificate import page, it says "Import Failed: Certificate/Key mismatch" error."
You need to import 'server.crt' as your SSL certificate to BIG-IP box.
Your Apache httpd.conf has following directives:SSLCertificateFile /root/server.crt SSLCertificateKeyFile /root/ssl.key/server.key
.. use those files when importing SSL certificate and SSL key.
--
server.csr is the "Certificate Signing Request", see wikipedia for details.
http://en.wikipedia.org/wiki/Certificate_signing_request
