For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

wixxyl_98682's avatar
wixxyl_98682
Icon for Nimbostratus rankNimbostratus
Dec 05, 2012

Importing existing wildcard?

Dev,

 

 

So we have an existing Geotrust apache wildcard cert for our site. Cane I import this into the LTM? Would that break the existing cert? I'm completely new to certs and I'm not sure what I can and can't do in that regard. Can I generate a new CSR from the LTM, and send that to a CA without it causing havok?

 

basic
getting started
new to f5

5 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Dec 05, 2012
    Hi,

     

     

    Can I import this into the LTM?

     

     

    yes

     

     

    Can I generate a new CSR from the LTM, and send that to a CA without it causing havoc?

     

     

    That's okay too, but you don't need to generate a new CSR if you already have a cert/key generated.

     

     

    You can search on AskF5 for 'import ssl certificate' filtering on your LTM version to get more info.

     

     

    Aaron
  • wixxyl_98682's avatar
    wixxyl_98682
    Icon for Nimbostratus rankNimbostratus
    Dec 05, 2012

    So it looks like the process is really straightforward. Does it matter that it's an Apache cert? or does the F5 even care? If that's all it is, I just need to import the key and the cert and I'm done?

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Dec 06, 2012
    Does it matter that it's an Apache cert? or does the F5 even care?it does not matter.

     

     

    Important: The BIG-IP system uses certificates and keys in the PEM format. In BIG-IP versions prior to 10.1.0, all certificates and keys must be converted prior to importing. For more information, refer to SOL6549: Converting PKCS certificates to PEM format for use with the BIG-IP. Beginning in BIG-IP 10.1.0, PKCS12 certificates may be imported without first converting them.sol10167: Overview of the Client SSL profile

     

    http://support.f5.com/kb/en-us/solutions/public/10000/100/sol10167.html

     

     

    If that's all it is, I just need to import the key and the cert and I'm done?yes.
  • wixxyl_98682's avatar
    wixxyl_98682
    Icon for Nimbostratus rankNimbostratus
    Dec 06, 2012

    Great! That seemed to go okay. I did have to import the key first, I notcied that's not really mentioned anywhere. I tried importing the cert first, then the key and receive an error. I've tried the OpenSSL verification on it, but appraently it doesn't do wildcards, so is there a good way to test that? I want to make sure it's installed correctly since this is my first shot at it. Thank you guys for all the help so far, I'm really very grateful for it.

     

    Edit: that did actually work. There was an option that OpenSSL didn't like, but the MD5 still showed up at the bottom and I didn't see it at first. Looks like it worked fine then. Thanks so much guys, you've really helped me out a lot!

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Dec 06, 2012
    I tried importing the cert first, then the key and receive an error.does md5 checksum match?

     

     

    sol13349: Verifying SSL certificate and key pairs from the command line (11.x)

     

    http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13349.html