Forum Discussion

MargaretH_57776's avatar
MargaretH_57776
Icon for Nimbostratus rankNimbostratus
Sep 14, 2013

SSL Device Certficate change from 1024 to 2048 bit length

I need to change all F5 LTM and F5 Ent. Mgr SSL Device Certificate from 1024 to 2048 bit length. How do I do this? I am using a CA signed (not Self Signed) certificate and current cert has not expired but just need to change the bit length. Thanks.

 

5 Replies

  • You can use the following script to modify a self-signed device certificate on your BIG-IPs after adjusting the parameters accordingly.

    It will also reset the device trust and modify the trusted certificate.

    The syntax can be used to create a 2.048 bit key and needs to be changed to craft a CSR to get signed by your own CA.

    Be aware, that the device trust used to break after changing the device cert.

    Have a look at this thread for scripts to modify names, certs and reestablish trust and device group for 2 devices.

    ! /bin/bash
    unit="bigip171.lb-net.bit"
    org="LB-NET"
    ou="LAB"
    city="Frankfurt"
    state="Germany"
    country="DE"
    
    bigstart stop httpd
    rm -f /config/httpd/conf/ssl.crt/server.crt /config/httpd/conf/ssl.key/server.key
    tmsh create sys crypto key server.key consumer webserver key-type rsa-private security-type normal key-size 2048
    tmsh create sys crypto cert server.crt consumer webserver key server.key lifetime 3650 common-name "${unit}" organization "${org}" ou "${ou}" city "${city}" state "${state}" country "${country}"
    bigstart start httpd
    cat /config/httpd/conf/ssl.crt/server.crt > /config/big3d/client.crt
    cat /config/httpd/conf/ssl.crt/server.crt > /config/gtm/server.crt
    
    tmsh delete cm trust-domain all
    sleep 5
    tmsh mv cm device `tmsh list cm device one-line | grep 'self-device true' | awk '{print $3}'` ${unit}
    
  • Hummm ... I was hoping to do it via the GUI. I was told that I can do it the following way but ran into error in Step 7 - trying to import the key/cert into Device Certificate:

     

    To move from a 1024 to a 2048 bit key, and have it signed by your internal CA, you need to: 1. System > File Management > SSL Certificate List 2. Create… 3. Fill out form accordingly (make sure you chose “Certificate Authority” as the Issuer) 4. Have your CA sign the generated CSRs 5. Import the signed Certs to create Certificate & Key pairs 6. Export the Cert and Key to your desktop 7. Import the Certificate & Key under System > Device Certificates > Device Certificate

     

    However, step 7 failed with error "Import Failed: Keys do not match". If I just import the key first, then I get "An error has occurred while trying to process your request".

     

    I ended up manually replacing the "server.crt" and "server.key" with the new CRT created from steps 1-6: - Replace existing F5 Device certificate via the console: a. Copy and replace “server.crt” and “server.key” with the new F5 certificate b. Restart httpd server for certificates to be effective: bigstart restart httpd Example commands: a. Go to the directory where the new F5 certificates are located cd /config/filestore/files_d/Common_d/certificate_d/ cp :Common:F5EM_2048bit.crt_1 /config/httpd/conf/ssl.crt cd /config/filestore/files_d/Common_d/certificate_key_d/ cp :Common:F5EM_2048bit.key_1 /config/httpd/conf/ssl.key cd /config/httpd/conf/ssl.crt mv server.crt server.crt_original mv :Common:F5EM_2048bit.crt_1 server.crt cd /config/httpd/conf/ssl.key mv server.key server.key_original mv :Common:F5EM_2048bit.key_1 server.key bigstart restart http Logon to F5 GUI to confirm: https://f5em

     

  • Take a look on the article below

     

    https://support.f5.com/csp/article/K9114 ( Section: Generating a new self-signed device certificate and private key)