ClientSSL Profile. Key and Cert mismatch. Applying to Virtual Server

Question

Hi,&nbsp;
I have a VIP setup for HTTPS pointing to a pool of HTTP servers. We want to install the certificate on the BIG IP. I generated the CSR for a certificate authority, received the cert and imported it.&nbsp;
I created a SSL profile, using clientssl as the parent profile and selected my certificate and key. But I'm receiving the error: "Common/xdoctest_clientssl's key and certificate do not match"&nbsp;
I generated two MD5 checksums and found the crt and key do not match. Is this a problem with the certificate I received? ClientSSL would be the appropriate profile in this scenario, correct?&nbsp;
My plan was to apply the clientSSL to the VIP and leave the serverssl blank (due to http backend)&nbsp;

shaggy · Answer

Your plan is correct - you only need a clientssl profile. The certificate and key must "match" but they won't match - They aren't identical files, so md5sum won't help you, but the CSR must be generated based on the key that was created. If you created the CSR on the F5, it will automatically create the associated key. Once you obtain the certificate from your certificate authority using the CSR that was generated, you then upload the certificate, matching it to the key you created (System | File Management | SSL Certificate List | click on the key you created, import the certificate).

nfordhk_66801 · Answer

Hey Shaggy,&nbsp;
I found out the issue. It appeared to be related to the DNS name. I had generated the CSR with the short name since it was an internal site. However, I found utilizing the FQDN resolved the issue. Do you have any explanation why?&nbsp;
Is it because DNS is tied to the FQDN?&nbsp;

nfordhk_66801 · Answer

Could I create an irule to add on the domain for users who use short name? &nbsp;

nitass_89166 · Answer

Could I create an irule to add on the domain for users who use short name?&nbsp;

certificate uses short name, doesn't it? we can configure http redirect to fqdn but user will get certificate warning message (because fqdn does not match short name in the certificate).&nbsp;

nitass · Answer

Could I create an irule to add on the domain for users who use short name?&nbsp;

certificate uses short name, doesn't it? we can configure http redirect to fqdn but user will get certificate warning message (because fqdn does not match short name in the certificate).&nbsp;

Forum Discussion

ClientSSL Profile. Key and Cert mismatch. Applying to Virtual Server

10 Replies

Recent Discussions

F5 VE in Azure - troubles with Sentinel integration

Need help on i-rule to specific uri path

Stable Firmware for F5

BigIP Next - Health Monitors / Template

LDAPS and renegotiation

Related Content

SSL protocol mismatch

Capture Virtual Server Clientssl Profile & Ciphers Mapping - Bash

TLS server_name extension based routing without clientssl profile

limit to number of clientssl profiles

Cipher suite mismatch advertisement/warning