F5 Self Signed Cert...Client-SSL-Profile Issue
Hi I've used the process below to create a new self signed cert and key on the F5 (from https://support.f5.com/kb/en-us/solutions/public/14000/500/sol14534.html). My Cert and key are created fine using openssl on the CLI - but it won't apply to an Client-SSL profile in the GUI (from the client-ssl profile I choose my new certificate and key. It just won't take it - it just defaults back to the original certificate=ca-bundle and key=default. Am I missing something? We are running version 11.5.3.
Thanks
Generating a new SSL private key and self-signed certificate: 1.Log in to the BIG-IP command line. 2.Generate a new SSL private key and self-signed certificate using the following command syntax: openssl req -x509 -nodes -newkey rsa: -keyout -out -days < of days> For example, the following command generates a new 2048-bit SSL private key in the /config/ssl/ssl.key/ directory named f5test.com_self-signed_2015.key, and a self-signed certificate in the /config/ssl/ssl.crt/ directory named f5test.com_self-signed_2015.crt: openssl req -x509 -nodes -newkey rsa:2048 -keyout /config/ssl/ssl.key/f5test.com_self-signed_2015.key -out /config/ssl/ssl.crt/f5test.com_self-signed_2015.crt -days 365 Note: The -nodes option removes the passphrase prompt for the key. If you want to add a passphrase to the key for extra security, refer to SOL14912: Adding and removing encryption from private SSL keys (11.x - 12.x). 3.Install the new SSL private key and self-signed certificate in the BIG-IP filestore using the following command syntax: tmsh install /sys crypto key from-local-file tmsh install /sys crypto cert from-local-file For example, to install the SSL private key and self-signed certificate generated in the previous steps: tmsh install /sys crypto key f5test.com_self-signed_2015.key from-local-file /config/ssl/ssl.key/f5test.com_self-signed_2015.key tmsh install /sys crypto cert f5test.com_self-signed_2015.crt from-local-file /config/ssl/ssl.crt/f5test.com_self-signed_2015.crt 4.The SSL private key and self-signed certificate can now be associated with an SSL profile.
Ok, we figured this out. Nothing was broken it's just a human factors issue with the interface. The dropdown options for cert/key are just lists, they don't actually select the options unless you click "Add" which puts the selections in the text input box just below. This was confusing because so many other configu menus in the F5 are select a dropdown box option and save the config, but for some reason this is different.
So bottom line, once we clicked "Add" which copied the selections from the dropdown box to the free text entry field below and save the config, it worked.