Forum Discussion
smp_86112
Cirrostratus
CirrostratusChanging LTM Device Certificate from 1024 -> 2048 key
I need to update the Device Certificate on an LTM v10.1.0 from 1024 to 2048. The doc says "Available key lengths are 512, 1024, or 2048 bytes." However none of those options are available to select during the renewal process. How do you convert a 1024 Device Certificate to 2048 bit encryption?
Also just a heads-up to anyone running a vulnerability scan. This month our scanner suddenly reported 1024 bit SSL keys as a vulnerability.
natheCirrocumulus
Hi smp,
As far as I'm aware a renew will simply extend the current cert, with all the same settings, for a year. If you want to change the encryption I think you need to start again and create a new one. I don't see this option in the GUI so you'll need to do this from the command line.
N
smp_86112Yes, when creating a *new* certificate you can select 2048 bits. But I needed to convert an existing certificate. I did some testing yesterday on this. I simply created a new cert with the dialog box you presented, then renamed the cert and key file to server.crt and server.key, moved them to the right spot on the filesystem and restarted httpd. That seemed to do the trick.
hoolioThanks for clarifying. If you're using that cert with GTM, you might still need to sync the cert as the public key would have changed (just a guess though).
Aaron- smp_86112Yes, you are exactly correct. I need to run
on the unit with the new Device Certificate, which add the new cert to the Trusted Device Certificates list on the GTM.bigip_add - HamishPosted By smp on 04/08/2010 05:25 AM
Yes, when creating a *new* certificate you can select 2048 bits. But I needed to convert an existing certificate. I did some testing yesterday on this. I simply created a new cert with the dialog box you presented, then renamed the cert and key file to server.crt and server.key, moved them to the right spot on the filesystem and restarted httpd. That seemed to do the trick.
Yes. You do need to create a *NEW* cert... You can't simply take a 1024b key and change it to a 2048b key and somehow insert it into the existing cert... (Because part of the cert is the public key. The cert is made up of the public key, the attributes such as the CN etc and then those are signed with the CA's private key to 'vouch' for them). Changing the key pair, would have the effect of creating a NEW cert... Therefore creating a new cert is what you need(ed) to do. Which is exactly what you did when you created a new cert with the same CN... H