Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

SSL Device Certficate change from 1024 to 2048 bit length


I need to change all F5 LTM and F5 Ent. Mgr SSL Device Certificate from 1024 to 2048 bit length. How do I do this? I am using a CA signed (not Self Signed) certificate and current cert has not expired but just need to change the bit length. Thanks.



F5 Employee
F5 Employee

On the LTM (v11), it's under System - Device Certificates.


You can use the following script to modify a self-signed device certificate on your BIG-IPs after adjusting the parameters accordingly.

It will also reset the device trust and modify the trusted certificate.

The syntax can be used to create a 2.048 bit key and needs to be changed to craft a CSR to get signed by your own CA.

Be aware, that the device trust used to break after changing the device cert.

Have a look at this thread for scripts to modify names, certs and reestablish trust and device group for 2 devices.

! /bin/bash

bigstart stop httpd
rm -f /config/httpd/conf/ssl.crt/server.crt /config/httpd/conf/ssl.key/server.key
tmsh create sys crypto key server.key consumer webserver key-type rsa-private security-type normal key-size 2048
tmsh create sys crypto cert server.crt consumer webserver key server.key lifetime 3650 common-name "${unit}" organization "${org}" ou "${ou}" city "${city}" state "${state}" country "${country}"
bigstart start httpd
cat /config/httpd/conf/ssl.crt/server.crt > /config/big3d/client.crt
cat /config/httpd/conf/ssl.crt/server.crt > /config/gtm/server.crt

tmsh delete cm trust-domain all
sleep 5
tmsh mv cm device `tmsh list cm device one-line | grep 'self-device true' | awk '{print $3}'` ${unit}


Hummm ... I was hoping to do it via the GUI. I was told that I can do it the following way but ran into error in Step 7 - trying to import the key/cert into Device Certificate:


To move from a 1024 to a 2048 bit key, and have it signed by your internal CA, you need to: 1. System > File Management > SSL Certificate List 2. Create… 3. Fill out form accordingly (make sure you chose “Certificate Authority” as the Issuer) 4. Have your CA sign the generated CSRs 5. Import the signed Certs to create Certificate & Key pairs 6. Export the Cert and Key to your desktop 7. Import the Certificate & Key under System > Device Certificates > Device Certificate


However, step 7 failed with error "Import Failed: Keys do not match". If I just import the key first, then I get "An error has occurred while trying to process your request".


I ended up manually replacing the "server.crt" and "server.key" with the new CRT created from steps 1-6: - Replace existing F5 Device certificate via the console: a. Copy and replace “server.crt” and “server.key” with the new F5 certificate b. Restart httpd server for certificates to be effective: bigstart restart httpd Example commands: a. Go to the directory where the new F5 certificates are located cd /config/filestore/files_d/Common_d/certificate_d/ cp :Common:F5EM_2048bit.crt_1 /config/httpd/conf/ssl.crt cd /config/filestore/files_d/Common_d/certificate_key_d/ cp :Common:F5EM_2048bit.key_1 /config/httpd/conf/ssl.key cd /config/httpd/conf/ssl.crt mv server.crt server.crt_original mv :Common:F5EM_2048bit.crt_1 server.crt cd /config/httpd/conf/ssl.key mv server.key server.key_original mv :Common:F5EM_2048bit.key_1 server.key bigstart restart http Logon to F5 GUI to confirm: https://f5em


What TMOS version are you on? Will have a look at it this evening.



Take a look on the article below ( Section: Generating a new self-signed device certificate and private key)