Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

Cannot Renew Certifcate and private key ( but keep the same name in F5 config )

Hi, Am trying to renew the wildcard certificate for our main domain. The CSR is generated elsewhere ( ie not on the F5 ), and have the cert/key from a CA already. The current certificate/key is in use. Trying to update either the certificate or the key, results in the F5 complaining that the key does not match the certificate or vice versa.
So, several workarounds to do this would be to delete the certificate/key pair and recreate, or add the certificate/key under a new name. Either one involoves enourmous pain, as the certificate is used by hundreds of iApps ( coding involved ). Does anyone have an alternate suggestion. Seems I cannot be the only person with this issue, but so far as I can find, it seems like a unique problem?

Help or suggestions appreciated

error message # v11.4

01070313:3: Error reading key PEM file /config/filestore/files_d/Common_d/certificate_key_d/:Common:star.mydomain.com.key_12345_1 for profile /Common/myapp.app/myapp_as_client-ssl: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

So another option could be that you create a new certificate and key pair, and then manually edit /config/bigip.conf and replace every instance of the previous certificate and key with the new certificate and key in each of your SSL profiles. Once done, perform a 'tmsh load sys config'. This might also be a bit tedious, but less so than doing it by clicking through the GUI.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi, Here is the process.
Background reading, http://support.f5.com/kb/en-us/solutions/public/14000/600/sol14620.html#14

  1. Backup bigip.conf
  2. import new cert/key into F5 via gui named - samenamecert170414 - ie same name but with date added on end
  3. reconfig one iApp to use new cert/key
  4. edit bigip.conf search/replace samenamecert.key and samenamecert.crt to samenamecert170414.key and samenamecert170414.crt respectively, except for 6 lines as follows, 3 for key and 3 for crt

sys file ssl-cert /Common/samenamecert.crt { cache-path /config/filestore/files_d/Common_d/certificate_d/:Common:samenamecert.crt_67272_1 ( this number will be different ) revision 1 source-path /config/ssl/ssl.crt/samenamecert.crt sys file ssl-key /Common/samenamecert.key { cache-path /config/filestore/files_d/Common_d/certificate_key_d/:Common:samenamecert.key_67268_1 ( this number will be different ) revision 1 source-path /config/ssl/ssl.key/samenamecert.key

  1. Relaod the config tmsh load sys config

  2. Delete original "samenamecert"

  3. import new cert/key into F5 via gui names - samenamecert - ie the original cert name
  4. reconfig one iApp to use samename cert/key # ie back to the original name
  5. edit bigip.conf search/replace samenamecert170414.key and samenamecert179414.crt to samenamecert.key and samenamecert.crt respectively, except for 6 lines as follows, 3 for key and 3 for crt

sys file ssl-cert /Common/samenamecert170414.crt { cache-path /config/filestore/files_d/Common_d/certificate_d/:Common:samenamecert170414.crt_67272_1 ( this number will be different ) revision 1 source-path /config/ssl/ssl.crt/samenamecert170414.crt sys file ssl-key /Common/samenamecert170414.key { cache-path /config/filestore/files_d/Common_d/certificate_key_d/:Common:samenamecert170414.key_67268_1 ( this number will be different ) revision 1 source-path /config/ssl/ssl.key/samenamecert170414.key

  1. tmsh load sys config
  2. delete the samenamecert170414 cert/key
  3. Check the cert has the correct serial number. # IMPORTANT! System ›› File Management : SSL Certificate List ›› samenamecert
  4. Check via a browser that you are getting the correct certificate served, taking a stastically valid sample of your affected domains/applications
  5. Job done.

Pretty simple really. All due to a certificate change. This should really be so much easier.

NB. Currently I have only done this on the standby node. I am awating permission to failover and do a replication. Will update as soon as...

1
Comments on this Answer
Comment made 17-Apr-2014 by Cory 3580
Your thoroughness and attention to detail is impressive.
1
Comment made 17-Apr-2014 by Emad 553
:)
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Have you tried just deleting either the key or the certificate, and then importing the new one that you didn't delete? For example, delete the certificate, then import the new key, then import the new certificate.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

did you try adding the new Certificate and key as a new pair? Then apply it to the in-use ssl profile? I can't see how you could update the existing certificate and key when its in use and neither the new key or Cert would match the old one that still needs to be changed.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

The best way is to use a new name for key and certificate and update key&certificate in ssl profile. in this way ssl profile name would remain same.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Cory, Deleting key or cert is not possible, as they are in use. So, F5 ( by design ) does not let you do this.

afedden, Yes, you can do this, but, and here is maybe a design issue for me, all my iApps use a different ssl profile. So, every iApp has a unique ssl profile ( maybe not my finiest moment of design ). So, maybe there is where the uniqueness of my issue comes. I opted to have one ssl profile per iApp. Now I have several hundred iApps and several hundred ssl profiles. Yes, seems crazy now written down, and hindsight is a wonderfull thing, but the basic issue, is a simple change of certificate/key has turned into a pretty major change affecting every iAPP.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Cory, That sounds like a good option. I particularly dislike leaving old keys around, but once the change is done, then I could delete them. In fact, once I do the above, then I could reimport the new new cert/key combo and use the old name, and then do the same search and replace and delete the new name. An odd way to do things, but quite workable.

all else fails, this seems like a good option. thanks

0
Comments on this Answer
Comment made 16-Apr-2014 by Cory 3580
Be sure to back up your bigip.conf file just in case something goes awry.
1
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi, Ok today I was able to flip over from active to standby. Synchronized both F5's after the flip from active to standy ( standby had the config changes ). On both F5's the certificate seems to be the correct one ( checking the serial number ). However all the VS's are still supplying the old certifcate ( verified by the old serial number still being present ). Have cleared browser caches, and indeed used a virgin vm with a browser, and yes the old certificate is still being served. Seems like something else needs to be done. Ideas welcomed. ( am looking into it at the moment )

0
Comments on this Answer
Comment made 22-Apr-2014 by elastic 100
Hi, sorry folks, this was a false alarm, the process I discribed works exactly as is. Had some issues locally with old iApps that are no longer used ( DNS pointing to other F5 ). This was the reason for above comment, and maybe I should have done more testing before posting. Lesson learned. Anyway process all good, and both F5's working, with new certificate.
0
Comment made 22-Apr-2014 by Cory 3580
Good to hear. Thanks for following up.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

this is my testing. is it same as yours?

0. existing certificate and key

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos)# list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.10:443
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        myclientssl {
            context clientside
        }
        tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 17
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos)# list ltm profile client-ssl myclientssl
ltm profile client-ssl myclientssl {
    app-service none
    cert-key-chain {
        one {
            cert one.crt
            key one.key
        }
    }
    defaults-from clientssl
}

1. verify certificate from virtual server

[root@ve11a:Active:In Sync] config # echo | openssl s_client -connect 172.28.24.10:443 2>/dev/null | openssl x509 -noout -subject -issuer
subject= /C=US/CN=one
issuer= /C=US/CN=one

2. install new certificate and key

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos)# install sys crypto cert two from-local-file /var/tmp/two.crt
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos)# install sys crypto key two from-local-file /var/tmp/two.key

3. verify new certificate and key

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos)# list sys crypto cert two.crt
sys crypto cert two.crt {
    certificate-key-size 2048
    city
    common-name two
    country US
    email-address
    expiration Apr 22 08:31:58 2015 GMT
    organization
    ou
    public-key-type RSA
    state
    subject-alternative-name
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos)# list sys crypto key two.key
sys crypto key two.key {
    key-size 2048
    key-type rsa-private
    security-type normal
}

4. save configuration

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos)# save sys config
Saving running configuration...
  /config/bigip.conf
  /config/bigip_base.conf
  /config/bigip_user.conf
Saving Ethernet mapping...done

5. manually modify bigip.conf

ltm profile client-ssl /Common/myclientssl {
    app-service none
    cert-key-chain {
        one {
            cert /Common/two.crt
            key /Common/two.key
        }
    }
    defaults-from /Common/clientssl
}

6. reload configuration

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos)# load sys config
Loading system configuration...
  /defaults/asm_base.conf
  /defaults/config_base.conf
  /defaults/low_profile_base.conf
  /defaults/low_security_base.conf
  /defaults/policy_base.conf
  /defaults/wam_base.conf
  /defaults/analytics_base.conf
  /defaults/apm_saml_base.conf
  /defaults/app_template_base.conf
  /defaults/classification_base.conf
  /defaults/daemon.conf
  /defaults/fullarmor_gpo_base.conf
  /defaults/profile_base.conf
  /defaults/sandbox_base.conf
  /defaults/security_base.conf
  /defaults/urldb_base.conf
  /usr/share/monitors/base_monitors.conf
Loading configuration...
  /config/bigip_base.conf
  /config/bigip_user.conf
  /config/bigip.conf

7. verify certificate from virtual server

[root@ve11a:Active:In Sync] config # echo | openssl s_client -connect 172.28.24.10:443 2>/dev/null | openssl x509 -noout -subject -issuer
subject= /C=US/CN=two
issuer= /C=US/CN=two

0
Comments on this Answer
Comment made 22-Apr-2014 by elastic 100
Hi, without being exhaustive it looks similar. However, the only way to identify new certs versus old is with the serial number/fingerprint, so command used locally... echo | openssl s_client -connect 10.1.2.11:443 2>&1|openssl x509 -noout -serial This should print out your serial number of your cert. Old and new certs should have different serial numbers
0
Comment made 18-Apr-2017 by ishan4386 0

Same issue happened with me. I have deleted the key from F5 and then later import the key in F5. These time while uploading the certificate I used the same name of the Exported Private key. Previously while uploading the certificate I used a new Certificate name due to which this error happened.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi, what I would do in your case is 1- synchronize active and passive devices 2- use the passive device for your manipulation 3- force the passive device to "push config to group" and your main device will have the proper configuration

Regarding the step 2, if you want to use the GUI you'll have to delete the certificate & key, then recreate it with the same name ... Possible only if prior to this operation you removed the certificate from the SSL profiles that use it ... If it's too long using GUI you'll have to edit the bigip.conf and use "sed" to replace what you want to replace :)

cheers

0