For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

The-messenger's avatar
The-messenger
Icon for Cirrostratus rankCirrostratus
Nov 05, 2021

Import cert/key together to prevent mismatching

Looking at version 14.1.4, I have BigIPs in 2 data centers. In one data center I have an updated (renewed) SSL cert/key. If I export the cert and key file and then try to import in the other data ce...
application delivery
LTM
The-messenger's avatar
The-messenger
Icon for Cirrostratus rankCirrostratus
Nov 05, 2021

The cert is being exported from one device imported to another. There is no CSR here, just exporting and importing.

I resolved it. I used openssll to combine the .key and .crt file to a .pfx file. Then used the .pfx file to import, at the other datacenter, over-writing the existing cert in place.

Fallout1984's avatar
Fallout1984
Icon for Cirrocumulus rankCirrocumulus
Nov 05, 2021

Ah, okay. Good. I normally use openssl commands when creating certs, more control that way. There's one cert that I have to merge into PFX format for a particular backend server, but that's about the only time I have to use that format.

 

Another thing I started doing as part of my cert creation routine was verify the hash of the CSR and the key match before I export it for the cert request:

 

Example:

 

Generate hash for the private key:

 

openssl pkey -in /config/ssl/ssl.key/apple-pie.com.key -pubout -outform pem | sha256sum

 

Generate hash for the csr:

 

openssl req -in /config/ssl/ssl.csr/apple-pie.com.csr -pubkey -noout -outform pem | sha256sum