Forum Discussion
Hannes_Rapp
Mar 23, 2015Nimbostratus
Failure in Exporting FIPS Private Keys
I'm attempting to export a FIPS private key but an error is returned. Apparently something is wrong with the file name. Are there any workarounds to have the FIPS private key (.exp) file exported? The majority of the FIPS private keys can be exported without any problems, some of the FIPS keys fail to export.
F5 version: 10.2.4
Fips: 140
[root@bigip1:Active] site-packages fipskey export SDPO_qa.asd.asd.com.key
f5km_export: error 17 - Invalid filename. Filenames may only contain the following characters: [A-Za-z][0-9].-_/
- Support case with F5 opened. Hopyefully we can resolve the issue. Meanwhile if someone has had any experience with similar issues, feel free to recommend your solutions 😉
- Ed_SummersNimbostratusWere these keys imported as (or converted to) FIPS security format and saved on a HSM in the device? If so are you sure you are successfully exporting the keys? I thought a major point of having keys stored as FIPS was to prevent the key from being exportable (and therefore 'stolen' or otherwise used for nefarious means). My understanding is that a FIPS key may still have a .exp file in the BigIP filesystem, but the file is not the full key. This discussion with tech support is fuzzy now, but I believe it is a partial file and may be used by the system as a pointer to the location of the key in the HSM. Interested to hear results of support case and other's inputs.
- Hannes_RappNimbostratusFIPS keys actually are meant to be exportable, and usable, but only on other F5 BigIP systems. In regards to your question, indeed, the FIPS keys were generated on HSM module and they are currently in use in clientssl and serverssl profiles. The method used for generating the keys which can't be exported was not any different. As said, the majority of FIPS keys are usable on other systems, but some FIPS files are either missing or corrupt, even after running the "fipskeys export". Thanks for your response.. so far it appears to be a F5 bug. The FIPS export feature is quite poorly developed on v10.x platform, a lot of FIPS issues are resolved in v11.x but one must try to get there first, without revoking the certificates :)
- Ed_SummersNimbostratusAppreciate the info! I feel I have misunderstood some aspects related to FIPS keys and will need to do a bit of research. The keys are certainly exportable in the fact that HSMs in the same security domain must sync with each other. I did not know manual key export is possible - it sounds as though the exported key is encrypted an useable only in the same security domain, yes? I won't hold up your original thread - appreciate the correction to my understanding!
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects