Forum Discussion

mulhollandm_648's avatar
mulhollandm_648
Icon for Nimbostratus rankNimbostratus
Aug 26, 2009

Server Cert install problems

folks

 

 

i'm having difficulties installing a server cert on my F5 4300

 

 

i have generated the csr and sent it to my CA (an internal PKI server) but when i get the Base64 cert back i open it in notepad and paste the contents into the f5 i get an invalid cert error

 

 

i've also copied in the private key and the encryption password is the right one

 

 

i'm told the certificate from the pki server also contains the certificate chain but i'm not really sure what this means

 

 

can anyone give me some guidance or advice?

 

 

thanks to anyone taking the time to reply
config
design
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Aug 26, 2009
    Are the cert and key PEM encoded? If not, you'll need to convert them to PEM first. You can use openssl on LTM to do this. Just search for convert certificate on AskF5.

     

     

    If the cert/key are in PEM format, you should see the following format:

     

     

     

    -----BEGIN CERTIFICATE-----

     

    MIIEPzCCA6gCAQEwDQYJKoZIhvcNAQEEBQAwgaMxCzAJBgNVBAYTAkVYMRYwFAYD

     

    YEAUAk16xvH2y3cS3Zf3TVQA7lu4JGqiP8YBRjhHvvZwOm3IAYMlZ7OsURGEZkC

     

    ...

     

    EeCDRJvnwAk1PK8YUJk5dWBF7u30ndaQ+Bov1vlAy1qGrTpg/N79rdqSjnU881Tb

     

    JdhGUTzpSZKIwLLckSkxkzP/65NG6IxOr+i1oAVkBdJ1N48=

     

    -----END CERTIFICATE-----

     

     

     

     

    If you see multiple certs in the file, you'll want to split out the actual server cert from the rest. You can use openssl to print out details on the cert:

     

     

    openssl x509 -in server.example.com.crt -noout -text

     

     

    Check for the certificate subject to see which cert is which. Then copy out just the server cert. You can either copy the file to /config/ssl/ssl.crt/ or upload it via the GUI.

     

     

    Once you have just the server cert imported, you can try to import the key through the GUI as well.

     

     

    Aaron
  • mulhollandm_648's avatar
    mulhollandm_648
    Icon for Nimbostratus rankNimbostratus
    Aug 26, 2009
    aaron

     

     

    many thanks for your reply, its greatly appreciated

     

     

    i have 2 certs in the response to my csr, a Base64_certnew and a DER_certnew

     

     

    once i open either of the certs i can see 4 certs

     

     

    - the F5 servername

     

    - intermediate CA

     

    - level 2 enterprise CA

     

    - root CA

     

     

    i've installed the F5 servername cert but get a Your certificate chain cannot be fully verified error

     

     

    is there more i need to do on the f5

     

     

    thanks again
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Aug 27, 2009
    I'm guessing the base64_certnew is in PEM format if you were able to import the cert/key to the LTM. Once you import the cert/key, combine the rest of the root/intermediate CA certs in one file using a text editor and then import them as a cert. You can then select that bundle in the client SSL profile as the chain certificate. The browser should then correctly tie the server cert to the corresponding root cert in the browser cert store.

     

     

    Aaron