Forum Discussion
Hummm ... I was hoping to do it via the GUI. I was told that I can do it the following way but ran into error in Step 7 - trying to import the key/cert into Device Certificate:
To move from a 1024 to a 2048 bit key, and have it signed by your internal CA, you need to: 1. System > File Management > SSL Certificate List 2. Create… 3. Fill out form accordingly (make sure you chose “Certificate Authority” as the Issuer) 4. Have your CA sign the generated CSRs 5. Import the signed Certs to create Certificate & Key pairs 6. Export the Cert and Key to your desktop 7. Import the Certificate & Key under System > Device Certificates > Device Certificate
However, step 7 failed with error "Import Failed: Keys do not match". If I just import the key first, then I get "An error has occurred while trying to process your request".
I ended up manually replacing the "server.crt" and "server.key" with the new CRT created from steps 1-6: - Replace existing F5 Device certificate via the console: a. Copy and replace “server.crt” and “server.key” with the new F5 certificate b. Restart httpd server for certificates to be effective: bigstart restart httpd Example commands: a. Go to the directory where the new F5 certificates are located cd /config/filestore/files_d/Common_d/certificate_d/ cp :Common:F5EM_2048bit.crt_1 /config/httpd/conf/ssl.crt cd /config/filestore/files_d/Common_d/certificate_key_d/ cp :Common:F5EM_2048bit.key_1 /config/httpd/conf/ssl.key cd /config/httpd/conf/ssl.crt mv server.crt server.crt_original mv :Common:F5EM_2048bit.crt_1 server.crt cd /config/httpd/conf/ssl.key mv server.key server.key_original mv :Common:F5EM_2048bit.key_1 server.key bigstart restart http Logon to F5 GUI to confirm: https://f5em