Forum Discussion

F5_324021's avatar
F5_324021
Icon for Cirrus rankCirrus
Oct 05, 2017

Exporting SSL Certificate to another BIG IP

Hello,   We are upgrading our F5 boxes and we need to to move all the traffic SSL certificates to a new box.   The certificates that are on the old box was signed by a CA after generating a CSR...
application delivery
LTM
  • F5_324021's avatar
    F5_324021
    Nov 25, 2017

    I have done the changes successfully, and it worked by simply uploading the signed cert with the key and the cert key chain from the signed authority side.

     

    Thanks :)

     

F5_Digger_13600's avatar
F5_Digger_13600
Icon for Cirrus rankCirrus
Oct 05, 2017

Hi

 

 

Based on your explanation, it seems the certs are all self-signed and they are already associated with with virtual servers through client or server ssl profiles.

 

If that is the case, I would vote for recreating self-signed certs and key on the new box but use the same cert and key name so that you don't need to change anything from existing client or server ssl profile.

 

One catch would be to import certs and key first before you import client and server ssl profiles.

 

  • RaghavendraSY's avatar
    RaghavendraSY
    Icon for Altostratus rankAltostratus
    Oct 05, 2017

    You can export certificates and key from F5-A and import in F5-B. While importing please import both certificate and key separately. It works fine and we did same in our environment

     

  • RaghavendraSY's avatar
    RaghavendraSY
    Icon for Altostratus rankAltostratus
    Oct 05, 2017

    Import both certificate and key separately with same name.

     

  • F5_324021's avatar
    F5_324021
    Icon for Cirrus rankCirrus
    Oct 05, 2017

    Hello ,

     

    Thanks for your replies,

     

    So no need to regenerate a CSR from the new box?

     

    simply exporting the SSL traffic Cert and its key will work?without the CSR presented on the box?

     

  • RaghavendraSY's avatar
    RaghavendraSY
    Icon for Altostratus rankAltostratus
    Oct 05, 2017

    Yes. that is correct. Please let us know once you did the above changes

     

  • F5_Digger_13600's avatar
    F5_Digger_13600
    Icon for Cirrus rankCirrus
    Oct 05, 2017

    Exporting certs and keys from an old box and importing them in a new box will work.

     

    However I think, overall time to complete this task, building new certs and keys on the new box would be much faster. Use tmsh command line script like below.

     

     

     

    !! Generate Key and Cert

     

    tmsh create sys crypto key test.com.key key-type rsa-private key-size 2048

     

    tmsh create sys crypto cert test.com.crt key test.com.key common-nake *.test.com

     

     

    !! Install Key and Cert

     

    tmsh install sys crypto key test.com.key from-local-file /config/filestore/files_d/Common_d/certificate_key.d/:Common:test.com.key_41040_1

     

    tmsh install sys crypto cert test.com.crt from-local-file /config/filestore/files_d/Common_d/certificate_d/:Common:test.com.crt_41044_1

     

  • F5_324021's avatar
    F5_324021
    Icon for Cirrus rankCirrus
    Oct 06, 2017

    Just want to clarify here that our traffic certifications are not self signed and they are signed by an authorized CA ,all what we did on the old box is generating a CSR and pushed to the CA after that we got the cert file and a key with the cert key chain of the CA itself.

     

    So in that case is it correct that we can just export the cert and the keys with the cert key chain to the new box and the SSL traffic certification will work fine or should we repeat the same process that was done on the old box.

     

    Thank you..