Forum Discussion
K-Dubb
Nimbostratus
NimbostratusExport Verisign SSL Cert from BIGIP to IIS?
HI,
I am sorry if this is the wrong area for this question, but I did not see a more suitable spot for this question. We are in the process of bringing online a second Datacenter that will be used for DR. The problem is, we will not have a BIGIP unit there. We will use NLB with IIS servers. My question is, assuming we don't use both at the same time, is there a procedure to export Verisign SSL Certs from the BIGIP unit that can then be imported into IIS? I found a solution of doing the opposite (Import IIS Cert into BIGIP SOL6549) but I am not sure if this can be reversed or not? I am also not sure if Verisign certs for BIGIP units will even work in IIS.
Any help is appreciated!
Thanks.
8 Replies
dathomas111_201Altocumulus
You can use openssl from the CLI to export the cert into the proper format, then perform a simple file transfer to an ftp server. I believe pk12 format is what is required for IIS but I could be mistaken. Either way, here is the syntax that should work.
Openssl pkcs12 -export -out file.p12 -inkey /config/ssl/ssl.key/.key -in /config/ssl/ssl.crt/.crt
K-DubbPosted By dathomas111 on 02/02/2011 10:52 AM
You can use openssl from the CLI to export the cert into the proper format, then perform a simple file transfer to an ftp server. I believe pk12 format is what is required for IIS but I could be mistaken. Either way, here is the syntax that should work.
Openssl pkcs12 -export -out file.p12 -inkey /config/ssl/ssl.key/.key -in /config/ssl/ssl.crt/.crt Thanks. I am on 9.4.8, is there somehting I have to do to enable openSSL? I am getting: -bash: Openssl: command not found- Chris_Miller
Altostratus
Posted By K-Dubb on 02/03/2011 07:05 AM
Posted By dathomas111 on 02/02/2011 10:52 AM
You can use openssl from the CLI to export the cert into the proper format, then perform a simple file transfer to an ftp server. I believe pk12 format is what is required for IIS but I could be mistaken. Either way, here is the syntax that should work.
Openssl pkcs12 -export -out file.p12 -inkey /config/ssl/ssl.key/.key -in /config/ssl/ssl.crt/.crt Thanks. I am on 9.4.8, is there somehting I have to do to enable openSSL? I am getting: -bash: Openssl: command not found
Good old case insensitivity, try "openssl" instead of "Openssl." - K-DubbThanks. Is this supposed to create a .crt file? I ask because the command appeared to work, but I do not see a file. I have looked around and do not see the file.
Also, we already have .crt files for every .key file, so I am wondering if these will work?
How can I make sure that doing the export doesn't destroy the cert on the F5? - Chris_MillerIt should create a .p12 file in the directory from which you ran the command.
- K-DubbIt sure did, thanks. Would you expect this to destroy the cert on the F5 then, or will it still be valid?
- Chris_MillerPosted By K-Dubb on 02/04/2011 09:15 AM
It sure did, thanks. Would you expect this to destroy the cert on the F5 then, or will it still be valid?
F5 one is just fine. The openssl command just read the key/cert so it could make the .p12 file. It didn't alter the key/cert in any way. - K-DubbThanks for the help!
