Forum Discussion
Nfordhk_66801
Nimbostratus
NimbostratusClientSSL Profile. Key and Cert mismatch. Applying to Virtual Server
Hi,
I have a VIP setup for HTTPS pointing to a pool of HTTP servers. We want to install the certificate on the BIG IP. I generated the CSR for a certificate authority, received the cert and imported it.
I created a SSL profile, using clientssl as the parent profile and selected my certificate and key. But I'm receiving the error: "Common/xdoctest_clientssl's key and certificate do not match"
I generated two MD5 checksums and found the crt and key do not match. Is this a problem with the certificate I received? ClientSSL would be the appropriate profile in this scenario, correct?
My plan was to apply the clientSSL to the VIP and leave the serverssl blank (due to http backend)
shaggyYour plan is correct - you only need a clientssl profile. The certificate and key must "match" but they won't match - They aren't identical files, so md5sum won't help you, but the CSR must be generated based on the key that was created. If you created the CSR on the F5, it will automatically create the associated key. Once you obtain the certificate from your certificate authority using the CSR that was generated, you then upload the certificate, matching it to the key you created (System | File Management | SSL Certificate List | click on the key you created, import the certificate).
Nfordhk_66801Hey Shaggy,
I found out the issue. It appeared to be related to the DNS name. I had generated the CSR with the short name since it was an internal site. However, I found utilizing the FQDN resolved the issue. Do you have any explanation why?
Is it because DNS is tied to the FQDN?
- Nfordhk_66801
Could I create an irule to add on the domain for users who use short name?
- nitass_89166
Noctilucent
Could I create an irule to add on the domain for users who use short name?
certificate uses short name, doesn't it? we can configure http redirect to fqdn but user will get certificate warning message (because fqdn does not match short name in the certificate).
- Nfordhk_66801The certificate uses FQDN. I would like to configure a rewrite for users who type the shortname to FQDN so they do not get a certificate warning message. When I initally generated the CSR with shortname, it wasn't working.
- nitass_89166user will still get certificate warning message because redirection happens after ssl handshake.
nitassEmployee
Could I create an irule to add on the domain for users who use short name?
certificate uses short name, doesn't it? we can configure http redirect to fqdn but user will get certificate warning message (because fqdn does not match short name in the certificate).
- Nfordhk_66801The certificate uses FQDN. I would like to configure a rewrite for users who type the shortname to FQDN so they do not get a certificate warning message. When I initally generated the CSR with shortname, it wasn't working.
- nitassuser will still get certificate warning message because redirection happens after ssl handshake.
- mimlo_61970
Cumulonimbus
I usually gen the certificate with the FQDN as the common name, and then the short name as a SAN on the certificate. Make sure you specify the FQDN as a SAN as well(so 2 SAN's, short and FQDN) as I have had problems in the past with browsers ignoring the CN when a SAN is present.