Looking at version 14.1.4, I have BigIPs in 2 data centers. In one data center I have an updated (renewed) SSL cert/key. If I export the cert and key file and then try to import in the other data center I will get "doesn't match" when trying to import. Is there any way to import the cert and key at the same time to prevent this?
This info should help with answering your question.
The cert is being exported from one device imported to another. There is no CSR here, just exporting and importing.
I resolved it. I used openssll to combine the .key and .crt file to a .pfx file. Then used the .pfx file to import, at the other datacenter, over-writing the existing cert in place.
Ah, okay. Good. I normally use openssl commands when creating certs, more control that way. There's one cert that I have to merge into PFX format for a particular backend server, but that's about the only time I have to use that format.
Another thing I started doing as part of my cert creation routine was verify the hash of the CSR and the key match before I export it for the cert request:
Generate hash for the private key:
openssl pkey -in /config/ssl/ssl.key/apple-pie.com.key -pubout -outform pem | sha256sum
Generate hash for the csr:
openssl req -in /config/ssl/ssl.csr/apple-pie.com.csr -pubkey -noout -outform pem | sha256sum
This what I ended up doing, I started out with the assumption that I could export the key and cert together so it took awhile to switch to openssl.