Forum Discussion

nvitiritti_1955's avatar
nvitiritti_1955
Icon for Nimbostratus rankNimbostratus
Dec 02, 2015

Error reading key PEM file: bad password read

After upgrading to 11.6 HF5 on our LTM I'm no longer able to ciphers on my client side SSL profiles. When I try to do this I receive error:

 

01070313:3: Error reading key PEM file /config/filestore/files_d/Common_d/certificate_key_d/:Common:key name here for profile /Common/profile name here: error:0906A068:PEM routines:PEM_do_header:bad password read

 

Before the upgrade I reordered the ciphers on all my profiles so that the strongest ciphers in 10.2 were used first. Now that the upgrade is done I'm trying to reorder them with the new ciphers available in 11.6.

 

Any help is greatly appreciated.

 

LTM
security

3 Replies

Sort By
  • PeteWhite's avatar
    PeteWhite
    Icon for Employee rankEmployee
    Dec 02, 2015

    Have you tried uploading the key again? I have seen this before where the key has a password set and the unit master key has changed ( f5mku -K ).

     

  • Root44's avatar
    Root44
    Icon for Altostratus rankAltostratus
    Dec 03, 2015

    1) Did you upload the key via GUI? if yes,then was it in the expected format? 2) Check the passphrase again.

     

    Let me know if you need help. I've been through this multiple times.

     

  • StephanManthey's avatar
    StephanManthey
    Icon for MVP rankMVP
    Dec 03, 2015

    If your private key is protected by passphrase you can try to restore the master key as recommended by Pete.

    But you can enter a cleartext passphrase into your /config/bigip.conf in the context of the affected client-ssl profile as well to replace the current encyrpted passphrase proteced by the master key (the one with $M$ prefix).

    Now reload the configuration by entering: 
    tmsh load sys config

    If it loads properly you can save it afterwards: 

    tmsh save sys config