Forum Discussion
NimbostratusSSL Client Profile key and certificate do not match error when importing from pfx
I'm trying to renew certificate via importing from pfx and naming it the same cert name.
I got this error message - 01070317:3: profile /mypartition/mysslclientprofile's key and certificate do not match.
The key is not with a passphrase.
I've tested the cert and key, they are perfectly match.
- openssl x509 -in / -modulus -noout | openssl md5
- openssl rsa -in / -modulus -noout | openssl md5
BIG-IP 11.5.0 Build 4.0.245 Hotfix HF4
Any idea?
3 Replies
- Kevin_Stewart
Employee
A .pfx is generally a certificate and private key. Is it possible that you generated a new key when requesting your new cert? If you upload the .pfx as a separate name, does that work?
longpad_163908Thanks Kevin,
The pfx came from a CA, and I can import the pfx file with a new/different certificate name from the one that i want to renew.
After I updated the SSL client profile, and point it to the new certificate name, the old cert can be renewed via importing the same pfx. i guess there must be something wrong with the client profile.
I got like a hundred of urls and certs; i don't want to import pfx twice for every url.
Any help would be appreciated.
- Kevin_Stewart
I would be wary that the CA didn't also generate a new private key in the process. If it did, then you'd be stuck importing cert and key and replacing in all of the SSL profiles. If the key is the same, then you'd need to export that .pfx to a single PEM (which includes the cert and key), extract the cert from that, and then import the cert. You can of course script all of that, but better to determine if the new and old keys are the same first.
