Forum Discussion

K-Dubb's avatar
K-Dubb
Icon for Nimbostratus rankNimbostratus
Feb 02, 2011

Export Verisign SSL Cert from BIGIP to IIS?

HI,

 

 

I am sorry if this is the wrong area for this question, but I did not see a more suitable spot for this question. We are in the process of bringing online a second Datacenter that will be used for DR. The problem is, we will not have a BIGIP unit there. We will use NLB with IIS servers. My question is, assuming we don't use both at the same time, is there a procedure to export Verisign SSL Certs from the BIGIP unit that can then be imported into IIS? I found a solution of doing the opposite (Import IIS Cert into BIGIP SOL6549) but I am not sure if this can be reversed or not? I am also not sure if Verisign certs for BIGIP units will even work in IIS.

 

 

Any help is appreciated!

 

 

Thanks.

 

config
design

8 Replies

Sort By
  • dathomas111_201's avatar
    dathomas111_201
    Icon for Altocumulus rankAltocumulus
    Feb 02, 2011
    You can use openssl from the CLI to export the cert into the proper format, then perform a simple file transfer to an ftp server. I believe pk12 format is what is required for IIS but I could be mistaken. Either way, here is the syntax that should work.

     

     

    Openssl pkcs12 -export -out file.p12 -inkey /config/ssl/ssl.key/.key -in /config/ssl/ssl.crt/.crt
  • K-Dubb's avatar
    K-Dubb
    Icon for Nimbostratus rankNimbostratus
    Feb 03, 2011
    Posted By dathomas111 on 02/02/2011 10:52 AM

     

    You can use openssl from the CLI to export the cert into the proper format, then perform a simple file transfer to an ftp server. I believe pk12 format is what is required for IIS but I could be mistaken. Either way, here is the syntax that should work.

     

     

    Openssl pkcs12 -export -out file.p12 -inkey /config/ssl/ssl.key/.key -in /config/ssl/ssl.crt/.crt Thanks. I am on 9.4.8, is there somehting I have to do to enable openSSL? I am getting: -bash: Openssl: command not found

     

     

     

  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Feb 03, 2011
    Posted By K-Dubb on 02/03/2011 07:05 AM

     

    Posted By dathomas111 on 02/02/2011 10:52 AM

     

    You can use openssl from the CLI to export the cert into the proper format, then perform a simple file transfer to an ftp server. I believe pk12 format is what is required for IIS but I could be mistaken. Either way, here is the syntax that should work.

     

     

    Openssl pkcs12 -export -out file.p12 -inkey /config/ssl/ssl.key/.key -in /config/ssl/ssl.crt/.crt Thanks. I am on 9.4.8, is there somehting I have to do to enable openSSL? I am getting: -bash: Openssl: command not found

     

     

     

     

    Good old case insensitivity, try "openssl" instead of "Openssl."
  • K-Dubb's avatar
    K-Dubb
    Icon for Nimbostratus rankNimbostratus
    Feb 03, 2011
    Thanks. Is this supposed to create a .crt file? I ask because the command appeared to work, but I do not see a file. I have looked around and do not see the file.

     

     

    Also, we already have .crt files for every .key file, so I am wondering if these will work?

     

     

    How can I make sure that doing the export doesn't destroy the cert on the F5?
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Feb 03, 2011
    It should create a .p12 file in the directory from which you ran the command.
  • K-Dubb's avatar
    K-Dubb
    Icon for Nimbostratus rankNimbostratus
    Feb 04, 2011
    It sure did, thanks. Would you expect this to destroy the cert on the F5 then, or will it still be valid?
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Feb 04, 2011
    Posted By K-Dubb on 02/04/2011 09:15 AM

     

    It sure did, thanks. Would you expect this to destroy the cert on the F5 then, or will it still be valid?

     

    F5 one is just fine. The openssl command just read the key/cert so it could make the .p12 file. It didn't alter the key/cert in any way.