For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

stecino_87658's avatar
stecino_87658
Icon for Nimbostratus rankNimbostratus
Jan 22, 2016

Private key format changes when migrating from 9.x to 11.x using IControl API

Hello,   I am running into an issue when I migrate private key from one LTM to another. This doesn't happen with crt file   I use obj.Management.KeyCertificate.key_export_to_pem to get the key ...
devops
iControl
Jason_Cohen_417's avatar
Jason_Cohen_417
Historic F5 Account
Sep 23, 2016

The format that starts with '-----BEGIN RSA PUBLIC KEY-----' is PKCS1. It is simply the key object. It must be an RSA key (as indicated by the block header). The format that starts with '-----BEGIN PUBLIC KEY-----' is PKCS8. The key type and algorithm are are encoded within the base64 encoded data.

 

Further reading: http://stackoverflow.com/questions/20065304/what-is-the-differences-between-begin-rsa-private-key-and-begin-private-key

 

Convert to PKCS8 format: $ openssl pkcs8 -topk8 -in keyfrom9x.key -nocrypt -out pcsk8.key $ md5sum pkcs8.key 2771112811d82b6fb29d55656d957b1e pkcs8.key << The key is the same as stored by the BIGIP $ md5sum 2771112811d82b6fb29d55656d957b1e keyimportedto11x.key

 

$ openssl rsa -in pcsk8.key -out rsa-new.key << This should work, and does on my systems. writing RSA key

 

$ md5sum rsa-new.key efb57dd9a66be6822669a673db007ea7 rsa-new.key << The key converted from PKCS1 to PKCS8 and back to PKCS1 $ md5sum efb57dd9a66be6822669a673db007ea7 keyfrom9x.key << is the same as the original