Forum Discussion

tplambeck's avatar
tplambeck
Icon for Nimbostratus rankNimbostratus
May 24, 2023

Creating a Cert/Key archive, returns "bad status: -14"

When attempting to create an archive of hundreds of Certs and Keys, the LTM returns:

Key management library returned bad status: -14, Keys do not match.

Ideas on how to get around this without have to easter egg for the presummed bad key?

  • tplambeck Are you trying to run a UCS backup and then it's failing? If you are wanting to only backup the SSL certs and keys you can copy these two directories to a server and then archiving them that way.

     

     

    /config/filestore/files_d/Common_d/certificate_d/
    /config/filestore/files_d/Common_d/certificate_key_d/

     

    The files should all start with :Common: assuming you are just using the Common partition.

  • I am attempting create an archive from the GUI when I encounter the error. I have pulled the files and moved them over and attempting to "install" them at the moment with a bash script (F5 doesn't have a way to ingest multiple certs/keys via the cli).

    • Paulius's avatar
      Paulius
      Icon for MVP rankMVP

      tplambeck Once you have these files you can drop them into a directory you create with path /shared/tmp/ssl_files_import/ and once that is done you can import them using the following commands.

      install sys crypto cert <name_of_cert_in_GUI> from-local-file /shared/tmp/<existing_cert_name>
      install sys crypto key <name_of_key_in_GUI> from-local-file /shared/tmp/<existing_key_name>

      It's important that you have an accurate list of names from the GUI as well as an accurate list of which cert and key files belong to the associate GUI name. This list should go quick on importing if you do it this way. I'm sure some scripting could be done to allow you to come up with the CLI commands quicker but that's all I have for now.

      Make sure that after you import all the files that you issue a "save sys config" to ensure your changes are saved to memory.