Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

SSL Device Certficate change from 1024 to 2048 bit length

MargaretH_57776
Nimbostratus
Nimbostratus

I need to change all F5 LTM and F5 Ent. Mgr SSL Device Certificate from 1024 to 2048 bit length. How do I do this? I am using a CA signed (not Self Signed) certificate and current cert has not expired but just need to change the bit length. Thanks.

 

5 REPLIES 5

Kevin_Stewart
F5 Employee
F5 Employee

On the LTM (v11), it's under System - Device Certificates.

 

You can use the following script to modify a self-signed device certificate on your BIG-IPs after adjusting the parameters accordingly.

 

It will also reset the device trust and modify the trusted certificate.

 

The syntax can be used to create a 2.048 bit key and needs to be changed to craft a CSR to get signed by your own CA.

 

Be aware, that the device trust used to break after changing the device cert.

 

Have a look at this thread for scripts to modify names, certs and reestablish trust and device group for 2 devices.

 

! /bin/bash unit="bigip171.lb-net.bit" org="LB-NET" ou="LAB" city="Frankfurt" state="Germany" country="DE" bigstart stop httpd rm -f /config/httpd/conf/ssl.crt/server.crt /config/httpd/conf/ssl.key/server.key tmsh create sys crypto key server.key consumer webserver key-type rsa-private security-type normal key-size 2048 tmsh create sys crypto cert server.crt consumer webserver key server.key lifetime 3650 common-name "${unit}" organization "${org}" ou "${ou}" city "${city}" state "${state}" country "${country}" bigstart start httpd cat /config/httpd/conf/ssl.crt/server.crt > /config/big3d/client.crt cat /config/httpd/conf/ssl.crt/server.crt > /config/gtm/server.crt tmsh delete cm trust-domain all sleep 5 tmsh mv cm device `tmsh list cm device one-line | grep 'self-device true' | awk '{print $3}'` ${unit}

MargaretH_57776
Nimbostratus
Nimbostratus

Hummm ... I was hoping to do it via the GUI. I was told that I can do it the following way but ran into error in Step 7 - trying to import the key/cert into Device Certificate:

 

To move from a 1024 to a 2048 bit key, and have it signed by your internal CA, you need to: 1. System > File Management > SSL Certificate List 2. Create… 3. Fill out form accordingly (make sure you chose “Certificate Authority” as the Issuer) 4. Have your CA sign the generated CSRs 5. Import the signed Certs to create Certificate & Key pairs 6. Export the Cert and Key to your desktop 7. Import the Certificate & Key under System > Device Certificates > Device Certificate

 

However, step 7 failed with error "Import Failed: Keys do not match". If I just import the key first, then I get "An error has occurred while trying to process your request".

 

I ended up manually replacing the "server.crt" and "server.key" with the new CRT created from steps 1-6: - Replace existing F5 Device certificate via the console: a. Copy and replace “server.crt” and “server.key” with the new F5 certificate b. Restart httpd server for certificates to be effective: bigstart restart httpd Example commands: a. Go to the directory where the new F5 certificates are located cd /config/filestore/files_d/Common_d/certificate_d/ cp :Common:F5EM_2048bit.crt_1 /config/httpd/conf/ssl.crt cd /config/filestore/files_d/Common_d/certificate_key_d/ cp :Common:F5EM_2048bit.key_1 /config/httpd/conf/ssl.key cd /config/httpd/conf/ssl.crt mv server.crt server.crt_original mv :Common:F5EM_2048bit.crt_1 server.crt cd /config/httpd/conf/ssl.key mv server.key server.key_original mv :Common:F5EM_2048bit.key_1 server.key bigstart restart http Logon to F5 GUI to confirm: https://f5em

 

What TMOS version are you on? Will have a look at it this evening.

 

FrancisOlivier
Nimbostratus
Nimbostratus

Take a look on the article below

 

https://support.f5.com/csp/article/K9114 ( Section: Generating a new self-signed device certificate and private key)