Rotate SSL Cert and Encrypted Key with iControl REST API

Question

I'm trying to rotate SSL Certs and Encrypted Keys (i.e. those protected with a passphrase) using the iControl REST API. If the Cert and Key are in use on a Client SSL Profile (the very normal situation), I get the error "error:0906A068:PEM routines:PEM_do_header:bad password read" when patching

/mgmt/tm/sys/file/ssl-key

. What is the correct procedure to rotate in this scenario?

Also, since I believe I have to update the passphrase on the Client SSL Profile, does that mean there may be a downtime for any Virtual Servers using that profile? I see a warning about this in K15462: Managing SSL certificates for BIG-IP systems using tmsh but not in K14620: Manage SSL certificates for BIG-IP systems using the Configuration utility, though neither of those articles speak to the iControl REST API.

nik · Answer

Did you end up figuring this out?&nbsp; I have a similar issue, when trying to install a new cert + key using the api that are different from what currently exists on the f5 -"code": 400,"message": "01070317:3: profile /Common/foo.com's key(/Common/foo.com) and certificate(/Common/foo.com) do not match.","errorStack": [],"apiError": 3&nbsp;

Forum Discussion

Rotate SSL Cert and Encrypted Key with iControl REST API

Recent Discussions

How to implement LTM forward proxy client to determine the diversion pool based on the domain name

ASM Export JSON - size Limit ?

SNI Sites not taking correct certificate.

LTM Rule, iRule, or Brute Force Configuration to Limit URL Access

F5 LTM listening on 3306

Related Content

Decrypt, Encrypt, Decrypt, Encrypt, Encrypt....

Let's Encrypt

Automating NGINX Certificate Rotation on AWS

Load Balancing TCP TLS Encrypted Syslog Messages

Automate Let's Encrypt Certificates on BIG-IP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS