F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Aditya_Mehra's avatar
Aditya_Mehra
Icon for Cirrus rankCirrus
Mar 14, 2018

Convert to pkcs 12 format

Hi All, I created a csr and have received the certs from CA. I will be using those on the F5. But the server team needs the cert and key in pkcs12 format.   I have the below:   certificat...
application delivery
BIG-IP
certificate
crt
key
pkcs
Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
Mar 14, 2018

this command works in my F5:

openssl pkcs12 -export -in /config/filestore/files_d/Common_d/certificate_d/\:Common\:wildcard_demo.local.crt_47284_1 -inkey /config/filestore/files_d/Common_d/certificate_key_d/\:Common\:wildcard_demo.local.key_47282_1 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -out /var/tmp/democert.p12 -certfile /config/filestore/files_d/Common_d/certificate_d/\:Common\:DEMO_CA.crt_47294_1

or

openssl pkcs12 -export -in /config/filestore/files_d/Common_d/certificate_d/\:Common\:wildcard_demo.local.crt_47284_1 -inkey /config/filestore/files_d/Common_d/certificate_key_d/\:Common\:wildcard_demo.local.key_47282_1 -certpbe AES-256-CBC -keypbe AES-256-CBC -out /var/tmp/democert.p12 -certfile /config/filestore/files_d/Common_d/certificate_d/\:Common\:DEMO_CA.crt_47294_1

NOTE: If you do not specify explicitly specify the certpbe and keypbe algorithm this version defaults to using pbewithSHAAnd40BitRC2-CBC to protect the certificate and pbeWithSHAAnd3-KeyTripleDES-CBC to protect the key.

RC2 was designed in 1987 and has been considered weak for a very long time. 3DES is still considered by many to offer 112-bits of security though in 2015 it is clearly not an algorithm that should still be in use.

Source : http://unmitigatedrisk.com/?p=543