Forum Discussion

Chirag_Mehta_15's avatar
Chirag_Mehta_15
Icon for Nimbostratus rankNimbostratus
Jul 15, 2011

Extract CSR for SSL Certificate

Hi,

 

 

Please can someone advise as to how one can extract the CSR (Certificate Signing request) file for a SSL certificate on the BIG IP F5

 

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    A previous one? You can't. AFAIK it's not saved anywhere.

     

     

    You can however generate a NEW CSR for an existing key. But if your aim is to get a certificate renewal, I'd recommend generating a NEW keypair and use the CSR from that. (There's no real requirement to get a copy of a CSR. It's only of use to request a signed certificate from a CA. Once signed, you just need the cert and the private key).

     

     

    H
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Actually... I lie...

     

     

    BigIP (10.2.1) saves the CSR's in /config/ssl/ssl.csr

     

     

    H
  • Hi,

     

     

    Yes I am trying to generate a CSR for renewal of an existing certificate. So do I need to export the existing Key ti get there.

     

     

    There is an option to "Renew" how will that work

     

     

    Thanks
  • Hi Chirag,

     

     

    Clicking renew will generate a new CSR with the existing key. If you want to create a new key and CSR, you can use this process:

     

     

    sol7573: Renewing a Certificate Authorities signed certificate that requires a new key without overwriting the current key and certificate

     

    http://support.f5.com/kb/en-us/solutions/public/7000/500/sol7573.html

     

     

    And be aware of this:

     

     

    sol10561: The BIG-IP system may not use a renewed SSL certificate

     

    http://support.f5.com/kb/en-us/solutions/public/10000/500/sol10561.html

     

     

    Aaron
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    I always insist on a new keypair... It's no trouble to do and so much safer if old backups etc get compromised.

     

     

    You also get to increase the keylength...

     

     

    H
  • The CSR can be generated by creating a new SSL certificate. Go to LTM, SSL Certificates & then select create & once you press finish after filling in the details a CSR is generated which can be used for getting the certificate from the Certificate Authority e.g. Verisign.