Forum Discussion
NimbostratusI have a F5 Running 11.5.3
I am attempting to load a new Certificate and Key on the F5's. I generate a CSR and Key on a Linux system using openssl and submit the .csr to a certificate authority. when i get the Certificate i import the x509, base64 encoded certificate into the F5 via the GUI and the Key. when i attempt to assign the new Certificate and Key to a VIP I get a message 01070317:3: profile /Common/?????-?????-https-redir.appe/?????-?????-https-redir_client-ssl's key and certificate do not match
Is there something special I have to do to import the cert.
I also get the same error if I generate a CSR on the F5 and then import the resulting certificate.
7 Replies
Brad_ParkerCirrus
When you are assigning the cert to the ssl profile are you choosing both the correct private key and the cert in the drop downs?
- Gary_Bristol_19
Yes i am, they have some very specific names as apparently we can not use our wildcard Certificate as it doesn't cover a name.hostname.ou.edu ... so the cer file and the key file are both named name.hostname.ou.edu....
- Brad_Parker
Try checking that the cert, csr, adn private key all match of box using OpenSSL to rule out a bad cert provided by your CA. The output should match for all.
openssl x509 -noout -modulus -in certificate.crt | openssl md5 openssl rsa -noout -modulus -in privateKey.key | openssl md5 openssl req -noout -modulus -in CSR.csr | openssl md5- Gary_Bristol_19None of them match, but all of the certificates match each other ??? [gary@soc-nsm-002 ~]$ openssl rsa -noout -modulus -in elqa_outreach_ou_edu.key | openssl md5 8b5368774fc1c2fbe4b1986c5a0de0a6 [gary@soc-nsm-002 ~]$ ls *.key elqa.key elqa_outreach_ou_edu.key star_ou_edu.key [gary@soc-nsm-002 ~]$ openssl req -noout -modulus -in elqa_outreach_ou_edu.csr | openssl md5 8b5368774fc1c2fbe4b1986c5a0de0a6 [gary@soc-nsm-002 ~]$ openssl x509 -noout -modulus -in elqa_outreach_ou_edu-4.cer | openssl md5 f7d5fe21a30a38854fe7b07a69db8a9a [gary@soc-nsm-002 ~]$ openssl x509 -noout -modulus -in elqa_outreach_ou_edu-1.cer | openssl md5 f7d5fe21a30a38854fe7b07a69db8a9a [gary@soc-nsm-002 ~]$ openssl x509 -noout -modulus -in elqa_outreach_ou_edu-2.cer | openssl md5 f7d5fe21a30a38854fe7b07a69db8a9a [gary@soc-nsm-002 ~]$ openssl x509 -noout -modulus -in elqa_outreach_ou_edu-3.cer | openssl md5 f7d5fe21a30a38854fe7b07a69db8a9a [gary@soc-nsm-002 ~]$ openssl x509 -noout -modulus -in elqa_outreach_ou_edu_interm.cer | openssl md5 f7d5fe21a30a38854fe7b07a69db8a9a
Brad_Parker_139Nacreous
Try checking that the cert, csr, adn private key all match of box using OpenSSL to rule out a bad cert provided by your CA. The output should match for all.
openssl x509 -noout -modulus -in certificate.crt | openssl md5 openssl rsa -noout -modulus -in privateKey.key | openssl md5 openssl req -noout -modulus -in CSR.csr | openssl md5- Gary_Bristol_19None of them match, but all of the certificates match each other ??? [gary@soc-nsm-002 ~]$ openssl rsa -noout -modulus -in elqa_outreach_ou_edu.key | openssl md5 8b5368774fc1c2fbe4b1986c5a0de0a6 [gary@soc-nsm-002 ~]$ ls *.key elqa.key elqa_outreach_ou_edu.key star_ou_edu.key [gary@soc-nsm-002 ~]$ openssl req -noout -modulus -in elqa_outreach_ou_edu.csr | openssl md5 8b5368774fc1c2fbe4b1986c5a0de0a6 [gary@soc-nsm-002 ~]$ openssl x509 -noout -modulus -in elqa_outreach_ou_edu-4.cer | openssl md5 f7d5fe21a30a38854fe7b07a69db8a9a [gary@soc-nsm-002 ~]$ openssl x509 -noout -modulus -in elqa_outreach_ou_edu-1.cer | openssl md5 f7d5fe21a30a38854fe7b07a69db8a9a [gary@soc-nsm-002 ~]$ openssl x509 -noout -modulus -in elqa_outreach_ou_edu-2.cer | openssl md5 f7d5fe21a30a38854fe7b07a69db8a9a [gary@soc-nsm-002 ~]$ openssl x509 -noout -modulus -in elqa_outreach_ou_edu-3.cer | openssl md5 f7d5fe21a30a38854fe7b07a69db8a9a [gary@soc-nsm-002 ~]$ openssl x509 -noout -modulus -in elqa_outreach_ou_edu_interm.cer | openssl md5 f7d5fe21a30a38854fe7b07a69db8a9a
- Gary_Bristol_19
ok i found out the problem select other for Certificate type. download the X509 only certificate with the intermdiate and root.
