Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

Import cert/key together to prevent mismatching

The-messenger
Cirrostratus
Cirrostratus

Looking at version 14.1.4, I have BigIPs in 2 data centers. In one data center I have an updated (renewed) SSL cert/key. If I export the cert and key file and then try to import in the other data center I will get "doesn't match" when trying to import. Is there any way to import the cert and key at the same time to prevent this?

4 REPLIES 4

Fallout1984
Cirrocumulus
Cirrocumulus
  1. Is this a device cert or a site cert?
  2. Was the cert generated via the GUI or via the CLI using openssl commands?
  3. Is it a self-signed cert or is it from an SSL cert provider?
  4. Does the key have a password? If the CSR was done via the GUI, I believe the key isn't encrypted and thus no password required.

 

This info should help with answering your question.

 

Thanks!

 

 

 

The cert is being exported from one device imported to another. There is no CSR here, just exporting and importing.

I resolved it. I used openssll to combine the .key and .crt file to a .pfx file. Then used the .pfx file to import, at the other datacenter, over-writing the existing cert in place.

Ah, okay. Good. I normally use openssl commands when creating certs, more control that way. There's one cert that I have to merge into PFX format for a particular backend server, but that's about the only time I have to use that format.

 

Another thing I started doing as part of my cert creation routine was verify the hash of the CSR and the key match before I export it for the cert request:

 

Example:

 

Generate hash for the private key:

 

openssl pkey -in /config/ssl/ssl.key/apple-pie.com.key -pubout -outform pem | sha256sum

 

Generate hash for the csr:

 

openssl req -in /config/ssl/ssl.csr/apple-pie.com.csr -pubkey -noout -outform pem | sha256sum

The-messenger
Cirrostratus
Cirrostratus

Thanks.

This what I ended up doing, I started out with the assumption that I could export the key and cert together so it took awhile to switch to openssl.