Forum Discussion
SSL cert bundle - how to extract the intermediate?
We have a new cert provider and instead of sending me a zip file with the cert and intermediate, they sent the cert and a bundle. Any idea how to extract the intermediate cert text from that bundle so I can import into the F5 and use with an SSL profile?
Thanks!
first you need to know if it is PKCS#7 or PKCS#12
try opening the cert bundle file in Notepad++, just for checking if it works, else the above method using open SSL is
This is the easiest way I have tried hundreds of times
There you can see different section
------------BEGIN CERTIFICATE------------
------------END CERTIFICATE------------
This way you can save them in different files with different names and see, just double click in windows so that you can see which is certificate which is intermediate certificate.
if it includes key as well then you will see section
------------BEGIN KEY------------
------------END KEY------------
When you open the bundle in Notepad++ it may look like this
subject=CN = Test.ABC.com, C = US, ST = Virginia, L = Falls Church, OU = MYIT, O = ABC.TEST
issuer=C = US, O = TEST Company, OU = Security, CN = TEST IT Issuing CA
-----BEGIN CERTIFICATE-----
GARBLED VALUES AS its a DUMMy not to be used
ajd;lasd;lksa;ldhvcNAQELBQADggEBADMqDa9wjW3KwLgN0WOkYMIzhml1TiE
hf3CXaJGBfEZByStLTXPa6VY/QaBnW/LAUTB+VIzBBZzIxWb/ttD2IqpNfB
DomRE8zG0MHkoZAsXZPDjXMW2I8Ef+KRE6nXe692FLhdx/cds1/RK3iEQDZbHD3x
zOYELaBfHjJUZolLWOtf0UPbOn6JLKNcHEQD86mUEJdd59z+QB/DG+ZLdOPQ3epx
GARBLED VALUES AS its a DUMMy not to be used
GARBLED VALUES AS its a DUMMy not to be used
ajd;lasd;lksa;ldhvcNAQELBQADggEBADMqDa9wjW3KwLgN0WOkYMIzhml1TiE
hf3CXaJGBfEZByStLTXPa6VY/QaBnW/LAUTB+VIzBBZzIxWb/ttD2IqpNfB
DomRE8zG0MHkoZAsXZPDjXMW2I8Ef+KRE6nXe692FLhdx/cds1/RK3iEQDZbHD3x
zOYELaBfHjJUZolLWOtf0UPbOn6JLKNcHEQD86mUEJdd59z+QB/DG+ZLdOPQ3epx
GARBLED VALUES AS its a DUMMy not to be used
GARBLED VALUES AS its a DUMMy not to be used
-----END CERTIFICATE-----subject=CN = Test.ABC.com, C = US, ST = Virginia, L = Falls Church, OU = MYIT, O = TEST ROT CA ABC.TEST
issuer=C = US, O = TEST Company, OU = Security, CN = TEST IT Intermediate CA
-----BEGIN CERTIFICATE-----
GARBLED VALUES AS its a DUMMy not to be used
ajd;lasd;lksa;ldhvcNAQELBQADggEBADMqDa9wjW3KwLgN0WOkYMIzhml1TiE
hf3CXaJGBfEZByStLTXPa6VY/QaBnW/LAUTB+VIzBBZzIxWb/ttD2IqpNfB
DomRE8zG0MHkoZAsXZPDjXMW2I8Ef+KRE6nXe692FLhdx/cds1/RK3iEQDZbHD3x
zOYELaBfHjJUZolLWOtf0UPbOn6JLKNcHEQD86mUEJdd59z+QB/DG+ZLdOPQ3epx
GARBLED VALUES AS its a DUMMy not to be used
GARBLED VALUES AS its a DUMMy not to be used
ajd;lasd;lksa;ldhvcNAQELBQADggEBADMqDa9wjW3KwLgN0WOkYMIzhml1TiE
hf3CXaJGBfEZByStLTXPa6VY/QaBnW/LAUTB+VIzBBZzIxWb/ttD2IqpNfB
DomRE8zG0MHkoZAsXZPDjXMW2I8Ef+KRE6nXe692FLhdx/cds1/RK3iEQDZbHD3x
zOYELaBfHjJUZolLWOtf0UPbOn6JLKNcHEQD86mUEJdd59z+QB/DG+ZLdOPQ3epx
GARBLED VALUES AS its a DUMMy not to be used
GARBLED VALUES AS its a DUMMy not to be used
-----END CERTIFICATE-----subject=C = US, O = IT Technology Company, OU = Security, CN = TEST Intermediate CA ABC.TEST
issuer=C = US, O = TEST Company, OU = Security, CN = TEST IT Root CA
-----BEGIN CERTIFICATE-----
GARBLED VALUES AS its a DUMMy not to be used
ajd;lasd;lksa;ldhvcNAQELBQADggEBADMqDa9wjW3KwLgN0WOkYMIzhml1TiE
hf3CXaJGBfEZByStLTXPa6VY/QaBnW/LAUTB+VIzBBZzIxWb/ttD2IqpNfB
DomRE8zG0MHkoZAsXZPDjXMW2I8Ef+KRE6nXe692FLhdx/cds1/RK3iEQDZbHD3x
zOYELaBfHjJUZolLWOtf0UPbOn6JLKNcHEQD86mUEJdd59z+QB/DG+ZLdOPQ3epx
GARBLED VALUES AS its a DUMMy not to be used
GARBLED VALUES AS its a DUMMy not to be used
ajd;lasd;lksa;ldhvcNAQELBQADggEBADMqDa9wjW3KwLgN0WOkYMIzhml1TiE
hf3CXaJGBfEZByStLTXPa6VY/QaBnW/LAUTB+VIzBBZzIxWb/ttD2IqpNfB
DomRE8zG0MHkoZAsXZPDjXMW2I8Ef+KRE6nXe692FLhdx/cds1/RK3iEQDZbHD3x
zOYELaBfHjJUZolLWOtf0UPbOn6JLKNcHEQD86mUEJdd59z+QB/DG+ZLdOPQ3epx
GARBLED VALUES AS its a DUMMy not to be used
GARBLED VALUES AS its a DUMMy not to be used
-----END CERTIFICATE-----The easy way to IMPORT CERTIFICATE and Keys in GUI is to go and select Paste Text and paste the certificate plain text into the text box.
For importing certificate available in a notepad text file give a name of the certificate, don't use any extension or .crt name in the end else it will be shown 2 time in cli, after creation, so just use name and no extension or .crt
Paste any of the certificates in the Certificate Source are marked in Number 8 in blue circle below. and Import
Same do for key and in name no .key extension
Impact of procedure: Performing the following procedures should not have a negative impact on your system.
- Log in to the Configuration utility.
- Go to the SSL Certificate List page:
- For BIG-IP 13.x and later, go to System > Certificate Management > Traffic Certificate Management > SSL Certificate List.
- For BIG-IP 12.x and earlier, go to System > File Management > SSL Certificate List.
- Select Import.
- In the Import Type list, select Certificate.
- For Certificate Name, select Create New and enter a unique name for the certificate, or select Overwrite Existing to overwrite an existing certificate, and in the list, select the certificate file that you want to overwrite.
- For Certificate Source, select Upload File and select Choose File to browse to the file location, or select Paste Text and paste the certificate plain text into the text box.
- Select Import.
- You can now associate the SSL certificate with the appropriate SSL profile.
Import an SSL private key
You can use the following procedure to import an existing SSL private key.
Impact of procedure: Performing the following procedures should not have a negative impact on your system.
- Log in to the Configuration utility.
- Go to the SSL Certificate List page:
- For BIG-IP 13.x and later, go to System > Certificate Management > Traffic Certificate Management > SSL Certificate List.
- For BIG-IP 12.x and earlier, go to System > File Management > SSL Certificate List.
- Select Import.
- In the Import Type list, select Key.
- For Key Name, select Create New and enter a unique name for the key, or select Overwrite Existing to overwrite an existing key, and in the list, select the key file that you want to overwrite.Note: When you provide the same name for the key and the certificate, the system associates them for you and they appear in the same row in the Configuration utility.
- Note: The certificate and key must match. The system reports an error when you associate a non-matching certificate and key in the ClientSSL or ServerSSL profiles. For more information, refer to K61555083: Renewed certificate fails to import, with error "key and certificate do not match".
- For Key Source, select Upload File and select Choose File to browse to the file location, or select Paste Text and paste the key plain text into the text box.
- If you want to set a password for the key, in the Security Type list, select Password and enter a password in the Password box.
- Select Import.
Manage SSL certificates for BIG-IP systems using the Configuration utility (f5.com)
Please rate if it helps, and mark as solution.
🙏
first you need to know if it is PKCS#7 or PKCS#12
try opening the cert bundle file in Notepad++, just for checking if it works, else the above method using open SSL is
This is the easiest way I have tried hundreds of times
There you can see different section
------------BEGIN CERTIFICATE------------
------------END CERTIFICATE------------
This way you can save them in different files with different names and see, just double click in windows so that you can see which is certificate which is intermediate certificate.
if it includes key as well then you will see section
------------BEGIN KEY------------
------------END KEY------------
When you open the bundle in Notepad++ it may look like this
subject=CN = Test.ABC.com, C = US, ST = Virginia, L = Falls Church, OU = MYIT, O = ABC.TEST
issuer=C = US, O = TEST Company, OU = Security, CN = TEST IT Issuing CA
-----BEGIN CERTIFICATE-----
GARBLED VALUES AS its a DUMMy not to be used
ajd;lasd;lksa;ldhvcNAQELBQADggEBADMqDa9wjW3KwLgN0WOkYMIzhml1TiE
hf3CXaJGBfEZByStLTXPa6VY/QaBnW/LAUTB+VIzBBZzIxWb/ttD2IqpNfB
DomRE8zG0MHkoZAsXZPDjXMW2I8Ef+KRE6nXe692FLhdx/cds1/RK3iEQDZbHD3x
zOYELaBfHjJUZolLWOtf0UPbOn6JLKNcHEQD86mUEJdd59z+QB/DG+ZLdOPQ3epx
GARBLED VALUES AS its a DUMMy not to be used
GARBLED VALUES AS its a DUMMy not to be used
ajd;lasd;lksa;ldhvcNAQELBQADggEBADMqDa9wjW3KwLgN0WOkYMIzhml1TiE
hf3CXaJGBfEZByStLTXPa6VY/QaBnW/LAUTB+VIzBBZzIxWb/ttD2IqpNfB
DomRE8zG0MHkoZAsXZPDjXMW2I8Ef+KRE6nXe692FLhdx/cds1/RK3iEQDZbHD3x
zOYELaBfHjJUZolLWOtf0UPbOn6JLKNcHEQD86mUEJdd59z+QB/DG+ZLdOPQ3epx
GARBLED VALUES AS its a DUMMy not to be used
GARBLED VALUES AS its a DUMMy not to be used
-----END CERTIFICATE-----subject=CN = Test.ABC.com, C = US, ST = Virginia, L = Falls Church, OU = MYIT, O = TEST ROT CA ABC.TEST
issuer=C = US, O = TEST Company, OU = Security, CN = TEST IT Intermediate CA
-----BEGIN CERTIFICATE-----
GARBLED VALUES AS its a DUMMy not to be used
ajd;lasd;lksa;ldhvcNAQELBQADggEBADMqDa9wjW3KwLgN0WOkYMIzhml1TiE
hf3CXaJGBfEZByStLTXPa6VY/QaBnW/LAUTB+VIzBBZzIxWb/ttD2IqpNfB
DomRE8zG0MHkoZAsXZPDjXMW2I8Ef+KRE6nXe692FLhdx/cds1/RK3iEQDZbHD3x
zOYELaBfHjJUZolLWOtf0UPbOn6JLKNcHEQD86mUEJdd59z+QB/DG+ZLdOPQ3epx
GARBLED VALUES AS its a DUMMy not to be used
GARBLED VALUES AS its a DUMMy not to be used
ajd;lasd;lksa;ldhvcNAQELBQADggEBADMqDa9wjW3KwLgN0WOkYMIzhml1TiE
hf3CXaJGBfEZByStLTXPa6VY/QaBnW/LAUTB+VIzBBZzIxWb/ttD2IqpNfB
DomRE8zG0MHkoZAsXZPDjXMW2I8Ef+KRE6nXe692FLhdx/cds1/RK3iEQDZbHD3x
zOYELaBfHjJUZolLWOtf0UPbOn6JLKNcHEQD86mUEJdd59z+QB/DG+ZLdOPQ3epx
GARBLED VALUES AS its a DUMMy not to be used
GARBLED VALUES AS its a DUMMy not to be used
-----END CERTIFICATE-----subject=C = US, O = IT Technology Company, OU = Security, CN = TEST Intermediate CA ABC.TEST
issuer=C = US, O = TEST Company, OU = Security, CN = TEST IT Root CA
-----BEGIN CERTIFICATE-----
GARBLED VALUES AS its a DUMMy not to be used
ajd;lasd;lksa;ldhvcNAQELBQADggEBADMqDa9wjW3KwLgN0WOkYMIzhml1TiE
hf3CXaJGBfEZByStLTXPa6VY/QaBnW/LAUTB+VIzBBZzIxWb/ttD2IqpNfB
DomRE8zG0MHkoZAsXZPDjXMW2I8Ef+KRE6nXe692FLhdx/cds1/RK3iEQDZbHD3x
zOYELaBfHjJUZolLWOtf0UPbOn6JLKNcHEQD86mUEJdd59z+QB/DG+ZLdOPQ3epx
GARBLED VALUES AS its a DUMMy not to be used
GARBLED VALUES AS its a DUMMy not to be used
ajd;lasd;lksa;ldhvcNAQELBQADggEBADMqDa9wjW3KwLgN0WOkYMIzhml1TiE
hf3CXaJGBfEZByStLTXPa6VY/QaBnW/LAUTB+VIzBBZzIxWb/ttD2IqpNfB
DomRE8zG0MHkoZAsXZPDjXMW2I8Ef+KRE6nXe692FLhdx/cds1/RK3iEQDZbHD3x
zOYELaBfHjJUZolLWOtf0UPbOn6JLKNcHEQD86mUEJdd59z+QB/DG+ZLdOPQ3epx
GARBLED VALUES AS its a DUMMy not to be used
GARBLED VALUES AS its a DUMMy not to be used
-----END CERTIFICATE-----The easy way to IMPORT CERTIFICATE and Keys in GUI is to go and select Paste Text and paste the certificate plain text into the text box.
For importing certificate available in a notepad text file give a name of the certificate, don't use any extension or .crt name in the end else it will be shown 2 time in cli, after creation, so just use name and no extension or .crt
Paste any of the certificates in the Certificate Source are marked in Number 8 in blue circle below. and Import
Same do for key and in name no .key extension
Impact of procedure: Performing the following procedures should not have a negative impact on your system.
- Log in to the Configuration utility.
- Go to the SSL Certificate List page:
- For BIG-IP 13.x and later, go to System > Certificate Management > Traffic Certificate Management > SSL Certificate List.
- For BIG-IP 12.x and earlier, go to System > File Management > SSL Certificate List.
- Select Import.
- In the Import Type list, select Certificate.
- For Certificate Name, select Create New and enter a unique name for the certificate, or select Overwrite Existing to overwrite an existing certificate, and in the list, select the certificate file that you want to overwrite.
- For Certificate Source, select Upload File and select Choose File to browse to the file location, or select Paste Text and paste the certificate plain text into the text box.
- Select Import.
- You can now associate the SSL certificate with the appropriate SSL profile.
Import an SSL private key
You can use the following procedure to import an existing SSL private key.
Impact of procedure: Performing the following procedures should not have a negative impact on your system.
- Log in to the Configuration utility.
- Go to the SSL Certificate List page:
- For BIG-IP 13.x and later, go to System > Certificate Management > Traffic Certificate Management > SSL Certificate List.
- For BIG-IP 12.x and earlier, go to System > File Management > SSL Certificate List.
- Select Import.
- In the Import Type list, select Key.
- For Key Name, select Create New and enter a unique name for the key, or select Overwrite Existing to overwrite an existing key, and in the list, select the key file that you want to overwrite.Note: When you provide the same name for the key and the certificate, the system associates them for you and they appear in the same row in the Configuration utility.
- Note: The certificate and key must match. The system reports an error when you associate a non-matching certificate and key in the ClientSSL or ServerSSL profiles. For more information, refer to K61555083: Renewed certificate fails to import, with error "key and certificate do not match".
- For Key Source, select Upload File and select Choose File to browse to the file location, or select Paste Text and paste the key plain text into the text box.
- If you want to set a password for the key, in the Security Type list, select Password and enter a password in the Password box.
- Select Import.
Manage SSL certificates for BIG-IP systems using the Configuration utility (f5.com)
Please rate if it helps, and mark as solution.
🙏
- JD_TomzakCirrus
All good. Thanks!
- JD_TomzakCirrus
Looks like I already solved this...openssl command needed to be modified. (drop the noout part)
- JD_TomzakCirrus
openssl crl2pkcs7 -nocrl -certfile xxxxxxx.ca-bundle | openssl pkcs7 -print_certs -text
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com