Forum Discussion

flicky2000_1616's avatar
flicky2000_1616
Icon for Nimbostratus rankNimbostratus
Nov 15, 2015

F5 Self Signed Cert...Client-SSL-Profile Issue

Hi I've used the process below to create a new self signed cert and key on the F5 (from https://support.f5.com/kb/en-us/solutions/public/14000/500/sol14534.html). My Cert and key are created fine using openssl on the CLI - but it won't apply to an Client-SSL profile in the GUI (from the client-ssl profile I choose my new certificate and key. It just won't take it - it just defaults back to the original certificate=ca-bundle and key=default. Am I missing something? We are running version 11.5.3.

 

Thanks

 

Generating a new SSL private key and self-signed certificate: 1.Log in to the BIG-IP command line. 2.Generate a new SSL private key and self-signed certificate using the following command syntax: openssl req -x509 -nodes -newkey rsa: -keyout -out -days < of days> For example, the following command generates a new 2048-bit SSL private key in the /config/ssl/ssl.key/ directory named f5test.com_self-signed_2015.key, and a self-signed certificate in the /config/ssl/ssl.crt/ directory named f5test.com_self-signed_2015.crt: openssl req -x509 -nodes -newkey rsa:2048 -keyout /config/ssl/ssl.key/f5test.com_self-signed_2015.key -out /config/ssl/ssl.crt/f5test.com_self-signed_2015.crt -days 365 Note: The -nodes option removes the passphrase prompt for the key. If you want to add a passphrase to the key for extra security, refer to SOL14912: Adding and removing encryption from private SSL keys (11.x - 12.x). 3.Install the new SSL private key and self-signed certificate in the BIG-IP filestore using the following command syntax: tmsh install /sys crypto key from-local-file tmsh install /sys crypto cert from-local-file For example, to install the SSL private key and self-signed certificate generated in the previous steps: tmsh install /sys crypto key f5test.com_self-signed_2015.key from-local-file /config/ssl/ssl.key/f5test.com_self-signed_2015.key tmsh install /sys crypto cert f5test.com_self-signed_2015.crt from-local-file /config/ssl/ssl.crt/f5test.com_self-signed_2015.crt 4.The SSL private key and self-signed certificate can now be associated with an SSL profile.

 

  • Ok, we figured this out. Nothing was broken it's just a human factors issue with the interface. The dropdown options for cert/key are just lists, they don't actually select the options unless you click "Add" which puts the selections in the text input box just below. This was confusing because so many other configu menus in the F5 are select a dropdown box option and save the config, but for some reason this is different.

     

    So bottom line, once we clicked "Add" which copied the selections from the dropdown box to the free text entry field below and save the config, it worked.

     

    1. After creating the cert and key

       

    2. installed the cert and key in keystore

       

    3.i create new client-ssl profile and assigned the cert and key to the profile using GUI and and the profile was created , if you click the certificate key chain it will show the correct cert/key .

     

    Also you can use tmsh: create ltm profile client-ssl test cert f5test.com_self-signed_2015.crt key f5test.com_slf-signed_2015.key chain none

     

    Output :

     

    ltm profile client-ssl test { cert f5test.com_self-signed_2015.crt key f5test.com_self-signed_2015.key }

     

  • Also this is expected behaivour which you are seeing you will be applying the cert and key and after submitting you are seeing some differnet cert/key in the profile .

     

    But this does not change the cert/key in reality , if you check in tmsh output : list ltm profile client-ssl you will see the cert/key which you attached .

     

    Behaivour is like this : When you select the clientssl profile under Local Traffic -->Profiles-->SSL--> Client ›› F5 will present the first alphabetical certificate/key from the SSL certificate list from System ›› File Management : SSL Certificate List.

     

    It doesn't affect anything/traffic but doesn't make sense.

     

    Link for reference: https://devcentral.f5.com/questions/f5-self-signed-certclient-ssl-profile-issue

     

  • I'm having a similar issue. I created a self-signed SSL Cert via the GUI in 11.6 HF6 and when I create a new child Client-SSL profile, it does not create the using the new cert/key. The GUI UI behaves as above so it's impossible to see what the profile actually is. However, when viewing the Client-SSL profile in TMSH it shows that it's using the default cert/key.

     

  • We did resolved this. But we had to delete the Client SSL Profile completely and re-create a new one with a new name. We could then apply the certificate.

     

  • Ok, we figured this out. Nothing was broken it's just a human factors issue with the interface. The dropdown options for cert/key are just lists, they don't actually select the options unless you click "Add" which puts the selections in the text input box just below. This was confusing because so many other configu menus in the F5 are select a dropdown box option and save the config, but for some reason this is different.

     

    So bottom line, once we clicked "Add" which copied the selections from the dropdown box to the free text entry field below and save the config, it worked.