IIS Certs into LTM

Question

Hi,&nbsp;
&nbsp;I have several IIS SSL Certificates.&nbsp;
&nbsp;I want to configure my LTM to terminate my SSL sessions and have the web servers run on port 80.  To do this, I need to install my current certificates on the LTM.&nbsp;
&nbsp;I have successfully installed the certificates, but I'm having a heck of a time obtaining the private keys from my current certificates to paste them into the LTM to allow me to create the appropiate IIS profiles for my Virtual Servers.&nbsp;
&nbsp;I'm sure someone else has crossed this bridge before, but I could not find their post.&nbsp;
&nbsp;Help...&nbsp;
&nbsp;Thanks ahead of time for your help,
&nbsp;Michael

chad_emerson_85 · Answer

Importing an IIS .pfx file certificate into Apache or other non-Windows-based servers.&nbsp;
&nbsp;Most servers use plaintext certificate files. The certificate files that you download from your digicert account are already in this format. However, the private key that was generated on your IIS server is not yet in this format. This same private key is required for your certificate to function properly on your non-Windows-based server. To export the private key from the Windows IIS server to your non-windows-based machine, you must extract the private key from a Windows .pfx backup certificate. To do this you will use the OpenSSL utility to extract the private key from the .pfx backup file:
&nbsp;1.) First backup the certificate you have working on your IIS server to a .pfx file using the instructions listed above.
&nbsp;2.) Second, use the following OpenSSL command to create a new text file from which you can separate the Private Key:&nbsp;
&nbsp;    openssl pkcs12 -in mypfxfile.pfx -out outputfile.txt -nodes&nbsp;
&nbsp;    where mypfxfile.pfx is the certificate backup from your IIS server.&nbsp;
&nbsp;3.) The above command would have created a text file named outputfile.txt. Open this file with a text editor and you will see the private key listed first:&nbsp;
&nbsp;    -----BEGIN RSA PRIVATE KEY-----
&nbsp;    (Block of Random Text)
&nbsp;    -----END RSA PRIVATE KEY-----&nbsp;&nbsp;
&nbsp;4.) Copy and paste all of the private key, including the BEGIN and END tags to a new text file and save it as your_domain_name.key
&nbsp;5.) Use the Digicert Certificate Installation Instructions to install the the .key file you just created and the other certificate files from your Digicert Account to your new server.&nbsp;&nbsp;
&nbsp;Another great question that would fall into a dedicated LTM forum! Hope this helps!&nbsp;

michael_million · Answer

This worked perfectly.  The only thing that I ran into is that some of our certificates were imported with the ability to export button not selected.  Therefore, when creating the .pfx, the private key is not part of it.  I'm still researching how to get around this.&nbsp;
&nbsp;Thanks for the quick and acturate response,
&nbsp;Michael

Forum Discussion

IIS Certs into LTM

Recent Discussions

How to Renew F5 Device Certificate

How to export a list of paired external service providers from APM?

BIG-IP Edge Endpoint Inspection Failure pre-VPN

BIG IP LTM - Multiple application on single VIP with multiple ports allowed.

Service discovery is not happening in AS3

Related Content

LTM Policy Recipes II

Especial Load Balancing Active-Passive Scenario (II)

Use Kubernetes Cert-Manager to Maintain Let's Encrypt Certificates

Advanced API Access Control with BIG-IP APM – Part II

IIS X-Forward-For ISAPI Filter

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS