For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

smp_86112's avatar
smp_86112
Icon for Cirrostratus rankCirrostratus
Apr 07, 2010

Changing LTM Device Certificate from 1024 -> 2048 key

I need to update the Device Certificate on an LTM v10.1.0 from 1024 to 2048. The doc says "Available key lengths are 512, 1024, or 2048 bytes." However none of those options are available to select during the renewal process. How do you convert a 1024 Device Certificate to 2048 bit encryption?

 

 

Also just a heads-up to anyone running a vulnerability scan. This month our scanner suddenly reported 1024 bit SSL keys as a vulnerability.
config
design

5 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Apr 07, 2010
    Hi smp,

     

    As far as I'm aware a renew will simply extend the current cert, with all the same settings, for a year. If you want to change the encryption I think you need to start again and create a new one. I don't see this option in the GUI so you'll need to do this from the command line.

     

    N
  • smp_86112's avatar
    smp_86112
    Icon for Cirrostratus rankCirrostratus
    Apr 08, 2010
    Yes, when creating a *new* certificate you can select 2048 bits. But I needed to convert an existing certificate. I did some testing yesterday on this. I simply created a new cert with the dialog box you presented, then renamed the cert and key file to server.crt and server.key, moved them to the right spot on the filesystem and restarted httpd. That seemed to do the trick.
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Apr 08, 2010
    Thanks for clarifying. If you're using that cert with GTM, you might still need to sync the cert as the public key would have changed (just a guess though).

     

     

    Aaron
  • smp_86112's avatar
    smp_86112
    Icon for Cirrostratus rankCirrostratus
    Apr 08, 2010
    Yes, you are exactly correct. I need to run 
    bigip_add
    on the unit with the new Device Certificate, which add the new cert to the Trusted Device Certificates list on the GTM.
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Apr 13, 2010
    Posted By smp on 04/08/2010 05:25 AM

     

    Yes, when creating a *new* certificate you can select 2048 bits. But I needed to convert an existing certificate. I did some testing yesterday on this. I simply created a new cert with the dialog box you presented, then renamed the cert and key file to server.crt and server.key, moved them to the right spot on the filesystem and restarted httpd. That seemed to do the trick.

     

     

    Yes. You do need to create a *NEW* cert... You can't simply take a 1024b key and change it to a 2048b key and somehow insert it into the existing cert... (Because part of the cert is the public key. The cert is made up of the public key, the attributes such as the CN etc and then those are signed with the CA's private key to 'vouch' for them). Changing the key pair, would have the effect of creating a NEW cert... Therefore creating a new cert is what you need(ed) to do. Which is exactly what you did when you created a new cert with the same CN... H