Forum Discussion

GavinW_29074's avatar
Icon for Nimbostratus rankNimbostratus
Jan 11, 2012

Create SSL CSR Against existing Key

Hi there,



We're coming from an existing Apache set-up, whereby all CSR's were generated by OpenSSL on a Linux server against a defined Private Key. This meant that these certificates were easily transferable between web servers which all shared a common Private Key...



From looking at the F5's, it appears that on generating a CSR, it's not possible to specify a Private Key to use... Obviously this means that each certificate has a different private key, which means that moving it to another server, Apache instance or DR F5's becomes a bit more complex...



Is it possible to specify that the F5 uses a pre-existing Private Key when generating a CSR?


Or is there an equally easy way to move keys from one F5 to another, etc...







4 Replies

  • all private key, csr and certificate are stored in /config/ssl directory. you are able to run openssl against them.
  • Ok, so it's technically possible but relies on us dropping into the command line...



    Mmm, will have to review that a bit further :)







  • If you have an existing cert and key imported to LTM and renew the cert, it should use the existing key. I'd test this with a dummy cert/key first, but I think it should work like that. Else, like Nitass says, you can use openssl to do this on the CLI.



    Note that in v11, not all of the cert/key files are stored in /config/ssl/. They're now under /config/filestore/files_d/Common_d/ with links for default.crt, default.key, ca-bundle.crt going back to /config/ssl/. And you must use the GUI or tmsh to import certs and keys into the filestore. Modifying files in the filestore and reloading the config doesn't work anymore...



  • Aaron



    Cheers for the update.



    Will run some further tests I think...