Forum Discussion
GavinW_29074
Nimbostratus
NimbostratusCreate SSL CSR Against existing Key
Hi there,
We're coming from an existing Apache set-up, whereby all CSR's were generated by OpenSSL on a Linux server against a defined Private Key. This meant that these certificates were easily transferable between web servers which all shared a common Private Key...
From looking at the F5's, it appears that on generating a CSR, it's not possible to specify a Private Key to use... Obviously this means that each certificate has a different private key, which means that moving it to another server, Apache instance or DR F5's becomes a bit more complex...
Is it possible to specify that the F5 uses a pre-existing Private Key when generating a CSR?
Or is there an equally easy way to move keys from one F5 to another, etc...
Cheers
Gav
nitassEmployee
all private key, csr and certificate are stored in /config/ssl directory. you are able to run openssl against them.
GavinW_29074Ok, so it's technically possible but relies on us dropping into the command line...
Mmm, will have to review that a bit further :)
Cheers
Gav
hooleylistCirrostratus
If you have an existing cert and key imported to LTM and renew the cert, it should use the existing key. I'd test this with a dummy cert/key first, but I think it should work like that. Else, like Nitass says, you can use openssl to do this on the CLI.
Note that in v11, not all of the cert/key files are stored in /config/ssl/. They're now under /config/filestore/files_d/Common_d/ with links for default.crt, default.key, ca-bundle.crt going back to /config/ssl/. And you must use the GUI or tmsh to import certs and keys into the filestore. Modifying files in the filestore and reloading the config doesn't work anymore...
Aaron- GavinW_29074Aaron
Cheers for the update.
Will run some further tests I think...
Gav