Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Import cert/key together to prevent mismatching

The-messenger
Cirrostratus
Cirrostratus

‎05-Nov-2021 10:22

Looking at version 14.1.4, I have BigIPs in 2 data centers. In one data center I have an updated (renewed) SSL cert/key. If I export the cert and key file and then try to import in the other data center I will get "doesn't match" when trying to import. Is there any way to import the cert and key at the same time to prevent this?

Labels:
0 Kudos
4 REPLIES 4

Fallout1984
Cirrocumulus
Cirrocumulus

‎05-Nov-2021 13:04

  1. Is this a device cert or a site cert?
  2. Was the cert generated via the GUI or via the CLI using openssl commands?
  3. Is it a self-signed cert or is it from an SSL cert provider?
  4. Does the key have a password? If the CSR was done via the GUI, I believe the key isn't encrypted and thus no password required.

 

This info should help with answering your question.

 

Thanks!

 

 

 

0 Kudos

The-messenger
Cirrostratus
Cirrostratus
In response to Fallout1984

‎05-Nov-2021 13:07

The cert is being exported from one device imported to another. There is no CSR here, just exporting and importing.

I resolved it. I used openssll to combine the .key and .crt file to a .pfx file. Then used the .pfx file to import, at the other datacenter, over-writing the existing cert in place.

0 Kudos

Fallout1984
Cirrocumulus
Cirrocumulus
In response to The-messenger

‎05-Nov-2021 13:47

Ah, okay. Good. I normally use openssl commands when creating certs, more control that way. There's one cert that I have to merge into PFX format for a particular backend server, but that's about the only time I have to use that format.

 

Another thing I started doing as part of my cert creation routine was verify the hash of the CSR and the key match before I export it for the cert request:

 

Example:

 

Generate hash for the private key:

 

openssl pkey -in /config/ssl/ssl.key/apple-pie.com.key -pubout -outform pem | sha256sum

 

Generate hash for the csr:

 

openssl req -in /config/ssl/ssl.csr/apple-pie.com.csr -pubkey -noout -outform pem | sha256sum

0 Kudos

The-messenger
Cirrostratus
Cirrostratus

‎22-Nov-2021 11:25

Thanks.

This what I ended up doing, I started out with the assumption that I could export the key and cert together so it took awhile to switch to openssl.

0 Kudos
Copyright © 2023 Khoros, LLC