Forum Discussion

Ross_Beehler's avatar
Ross_Beehler
Icon for Nimbostratus rankNimbostratus
Nov 13, 2021

Rotate SSL Cert and Encrypted Key with iControl REST API

I'm trying to rotate SSL Certs and Encrypted Keys (i.e. those protected with a passphrase) using the iControl REST API. If the Cert and Key are in use on a Client SSL Profile (the very normal situation), I get the error "error:0906A068:PEM routines:PEM_do_header:bad password read" when patching

/mgmt/tm/sys/file/ssl-key
. What is the correct procedure to rotate in this scenario?

Also, since I believe I have to update the passphrase on the Client SSL Profile, does that mean there may be a downtime for any Virtual Servers using that profile? I see a warning about this in K15462: Managing SSL certificates for BIG-IP systems using tmsh but not in K14620: Manage SSL certificates for BIG-IP systems using the Configuration utility, though neither of those articles speak to the iControl REST API.

1 Reply

  • Did you end up figuring this out?  I have a similar issue, when trying to install a new cert + key using the api that are different from what currently exists on the f5 -

    "code": 400,
    "message": "01070317:3: profile /Common/foo.com's key(/Common/foo.com) and certificate(/Common/foo.com) do not match.",
    "errorStack": [],
    "apiError": 3