iQuery doesn't appear to support elliptic curve anywhere in the PKI chain
On 12.1.2, attempting to add an elliptic curve CA certificate to GSLB "Trusted Server Certificates" gives the error:
Key management library returned bad status: -35. EC keys are incompatible for Webserver/EM/iQuery.
In my experience, in order for GSLB iQuery connections to work when using CA-issued certificates as device certificates, the whole CA chain including the root CA must be added to "Trusted Server Certificates" (DNS>GSLB>Servers) and "Trusted Device Certificates" (System>Device Certificates).
Does anyone know of a way to make iQuery work that won't involve either setting up a whole new RSA PKI (unreasonable), or going back to self-signed certificates for the Configuration Utility and iControl? I can live with self-signed iQuery mesh, but I though the days of self-signed Config Utility and iControlREST were behind us.
There's no mention of this limitation in the documentation, or on AskF5. There are no relevant hits in Google, so I guess no one else is actually using an EC CA internally.