Forum Discussion

Nfordhk_66801's avatar
Nfordhk_66801
Icon for Nimbostratus rankNimbostratus
Aug 04, 2014

ClientSSL Profile. Key and Cert mismatch. Applying to Virtual Server

Hi,

 

I have a VIP setup for HTTPS pointing to a pool of HTTP servers. We want to install the certificate on the BIG IP. I generated the CSR for a certificate authority, received the cert and imported it.

 

I created a SSL profile, using clientssl as the parent profile and selected my certificate and key. But I'm receiving the error: "Common/xdoctest_clientssl's key and certificate do not match"

 

I generated two MD5 checksums and found the crt and key do not match. Is this a problem with the certificate I received? ClientSSL would be the appropriate profile in this scenario, correct?

 

My plan was to apply the clientSSL to the VIP and leave the serverssl blank (due to http backend)

 

  • shaggy's avatar
    shaggy
    Icon for Nimbostratus rankNimbostratus

    Your plan is correct - you only need a clientssl profile. The certificate and key must "match" but they won't match - They aren't identical files, so md5sum won't help you, but the CSR must be generated based on the key that was created. If you created the CSR on the F5, it will automatically create the associated key. Once you obtain the certificate from your certificate authority using the CSR that was generated, you then upload the certificate, matching it to the key you created (System | File Management | SSL Certificate List | click on the key you created, import the certificate).

     

  • Hey Shaggy,

     

    I found out the issue. It appeared to be related to the DNS name. I had generated the CSR with the short name since it was an internal site. However, I found utilizing the FQDN resolved the issue. Do you have any explanation why?

     

    Is it because DNS is tied to the FQDN?

     

  • Could I create an irule to add on the domain for users who use short name?

     

    certificate uses short name, doesn't it? we can configure http redirect to fqdn but user will get certificate warning message (because fqdn does not match short name in the certificate).

     

    • Nfordhk_66801's avatar
      Nfordhk_66801
      Icon for Nimbostratus rankNimbostratus
      The certificate uses FQDN. I would like to configure a rewrite for users who type the shortname to FQDN so they do not get a certificate warning message. When I initally generated the CSR with shortname, it wasn't working.
    • nitass_89166's avatar
      nitass_89166
      Icon for Noctilucent rankNoctilucent
      user will still get certificate warning message because redirection happens after ssl handshake.
  • Could I create an irule to add on the domain for users who use short name?

     

    certificate uses short name, doesn't it? we can configure http redirect to fqdn but user will get certificate warning message (because fqdn does not match short name in the certificate).

     

    • Nfordhk_66801's avatar
      Nfordhk_66801
      Icon for Nimbostratus rankNimbostratus
      The certificate uses FQDN. I would like to configure a rewrite for users who type the shortname to FQDN so they do not get a certificate warning message. When I initally generated the CSR with shortname, it wasn't working.
    • nitass's avatar
      nitass
      Icon for Employee rankEmployee
      user will still get certificate warning message because redirection happens after ssl handshake.
  • I usually gen the certificate with the FQDN as the common name, and then the short name as a SAN on the certificate. Make sure you specify the FQDN as a SAN as well(so 2 SAN's, short and FQDN) as I have had problems in the past with browsers ignoring the CN when a SAN is present.