iQuery doesn't appear to support elliptic curve anywhere in the PKI chain

On 12.1.2, attempting to add an elliptic curve CA certificate to GSLB "Trusted Server Certificates" gives the error:

Key management library returned bad status: -35. EC keys are incompatible for Webserver/EM/iQuery.

In my experience, in order for GSLB iQuery connections to work when using CA-issued certificates as device certificates, the whole CA chain including the root CA must be added to "Trusted Server Certificates" (DNS>GSLB>Servers) and "Trusted Device Certificates" (System>Device Certificates).

Does anyone know of a way to make iQuery work that won't involve either setting up a whole new RSA PKI (unreasonable), or going back to self-signed certificates for the Configuration Utility and iControl? I can live with self-signed iQuery mesh, but I though the days of self-signed Config Utility and iControlREST were behind us.

There's no mention of this limitation in the documentation, or on AskF5. There are no relevant hits in Google, so I guess no one else is actually using an EC CA internally.

application delivery

BIG-IP DNS

devops

Forum Discussion

iQuery doesn't appear to support elliptic curve anywhere in the PKI chain

Recent Discussions

F5Access | MacOS Sonoma

Active- Active HA setup

syslog server connection

Cannot see floating MAC address outside of ESXi

Rewrite uri translation not working

Related Content

Making EKS Anywhere Highly Available and Secure

How to Automate Load Balancing ECS Anywhere

Lightboard Lessons: Elliptic Curve Cryptography

Building an OpenSSL Certificate Authority - Introduction and Design Considerations for Elliptical Curves

Supporting Elliptic Curve Cryptography