Forum Discussion

elastic_82555's avatar
Icon for Nimbostratus rankNimbostratus
Apr 16, 2014

Cannot Renew Certifcate and private key ( but keep the same name in F5 config )

Hi, Am trying to renew the wildcard certificate for our main domain. The CSR is generated elsewhere ( ie not on the F5 ), and have the cert/key from a CA already. The current certificate/key is in use. Trying to update either the certificate or the key, results in the F5 complaining that the key does not match the certificate or vice versa.


So, several workarounds to do this would be to delete the certificate/key pair and recreate, or add the certificate/key under a new name. Either one involoves enourmous pain, as the certificate is used by hundreds of iApps ( coding involved ). Does anyone have an alternate suggestion. Seems I cannot be the only person with this issue, but so far as I can find, it seems like a unique problem?


Help or suggestions appreciated


error message v11.4

01070313:3: Error reading key PEM file /config/filestore/files_d/Common_d/certificate_key_d/ for profile /Common/ error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch


  • So another option could be that you create a new certificate and key pair, and then manually edit /config/bigip.conf and replace every instance of the previous certificate and key with the new certificate and key in each of your SSL profiles. Once done, perform a 'tmsh load sys config'. This might also be a bit tedious, but less so than doing it by clicking through the GUI.


20 Replies

  • Hi, what I would do in your case is 1- synchronize active and passive devices 2- use the passive device for your manipulation 3- force the passive device to "push config to group" and your main device will have the proper configuration


    Regarding the step 2, if you want to use the GUI you'll have to delete the certificate & key, then recreate it with the same name ... Possible only if prior to this operation you removed the certificate from the SSL profiles that use it ... If it's too long using GUI you'll have to edit the bigip.conf and use "sed" to replace what you want to replace :)

