Server Cert install problems

Question

folks 
&nbsp;  
&nbsp; i'm having difficulties installing a server cert on my F5 4300 
&nbsp;  
&nbsp; i have generated the csr and sent it to my CA (an internal PKI server) but when i get the Base64 cert back i open it in notepad and paste the contents into the f5 i get an invalid cert error 
&nbsp;  
&nbsp; i've also copied in the private key and the encryption password is the right one 
&nbsp;  
&nbsp; i'm told the certificate from the pki server also contains the certificate chain but i'm not really sure what this means  
&nbsp;  
&nbsp; can anyone give me some guidance or advice? 
&nbsp;  
&nbsp; thanks to anyone taking the time to reply

hooleylist · Answer

Are the cert and key PEM encoded?  If not, you'll need to convert them to PEM first.  You can use openssl on LTM to do this.  Just search for convert certificate on AskF5. 
&nbsp;  
&nbsp; If the cert/key are in PEM format, you should see the following format: 
&nbsp;  
&nbsp;  
&nbsp; -----BEGIN CERTIFICATE----- 
&nbsp; MIIEPzCCA6gCAQEwDQYJKoZIhvcNAQEEBQAwgaMxCzAJBgNVBAYTAkVYMRYwFAYD 
&nbsp; YEAUAk16xvH2y3cS3Zf3TVQA7lu4JGqiP8YBRjhHvvZwOm3IAYMlZ7OsURGEZkC 
&nbsp; ... 
&nbsp; EeCDRJvnwAk1PK8YUJk5dWBF7u30ndaQ+Bov1vlAy1qGrTpg/N79rdqSjnU881Tb 
&nbsp; JdhGUTzpSZKIwLLckSkxkzP/65NG6IxOr+i1oAVkBdJ1N48= 
&nbsp; -----END CERTIFICATE----- 
&nbsp; &nbsp; 
&nbsp;  
&nbsp; If you see multiple certs in the file, you'll want to split out the actual server cert from the rest.  You can use openssl to print out details on the cert: 
&nbsp;  
&nbsp; openssl x509 -in server.example.com.crt -noout -text 
&nbsp;  
&nbsp; Check for the certificate subject to see which cert is which.  Then copy out just the server cert.  You can either copy the file to /config/ssl/ssl.crt/ or upload it via the GUI. 
&nbsp;  
&nbsp; Once you have just the server cert imported, you can try to import the key through the GUI as well. 
&nbsp;  
&nbsp; Aaron

mulhollandm_648 · Answer

aaron 
&nbsp;  
&nbsp; many thanks for your reply, its greatly appreciated 
&nbsp;  
&nbsp; i have 2 certs in the response to my csr, a Base64_certnew and a DER_certnew 
&nbsp;  
&nbsp; once i open either of the certs i can see 4 certs 
&nbsp;  
&nbsp; - the F5 servername 
&nbsp; - intermediate CA 
&nbsp; - level 2 enterprise CA 
&nbsp; - root CA 
&nbsp;  
&nbsp; i've installed the F5 servername cert but get a Your certificate chain cannot be fully verified error 
&nbsp;  
&nbsp; is there more i need to do on the f5 
&nbsp;  
&nbsp; thanks again

hooleylist · Answer

I'm guessing the base64_certnew is in PEM format if you were able to import the cert/key to the LTM.  Once you import the cert/key, combine the rest of the root/intermediate CA certs in one file using a text editor and then import them as a cert.  You can then select that bundle in the client SSL profile as the chain certificate.  The browser should then correctly tie the server cert to the corresponding root cert in the browser cert store. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

Server Cert install problems

3 Replies

Recent Discussions

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

Getting Started with BIG-IP Next: Installing Instances on VMware ESXi

Source_Addr Persistence Problems

Ansible - Bricking freshly installed vcmp guests with ansible

Image installation status audited

Install status audited on boot location where I try to install new software