Failure in Exporting FIPS Private Keys

Were these keys imported as (or converted to) FIPS security format and saved on a HSM in the device? If so are you sure you are successfully exporting the keys? I thought a major point of having keys stored as FIPS was to prevent the key from being exportable (and therefore 'stolen' or otherwise used for nefarious means). My understanding is that a FIPS key may still have a .exp file in the BigIP filesystem, but the file is not the full key. This discussion with tech support is fuzzy now, but I believe it is a partial file and may be used by the system as a pointer to the location of the key in the HSM. Interested to hear results of support case and other's inputs.

FIPS keys actually are meant to be exportable, and usable, but only on other F5 BigIP systems. In regards to your question, indeed, the FIPS keys were generated on HSM module and they are currently in use in clientssl and serverssl profiles. The method used for generating the keys which can't be exported was not any different. As said, the majority of FIPS keys are usable on other systems, but some FIPS files are either missing or corrupt, even after running the "fipskeys export". Thanks for your response.. so far it appears to be a F5 bug. The FIPS export feature is quite poorly developed on v10.x platform, a lot of FIPS issues are resolved in v11.x but one must try to get there first, without revoking the certificates :)

Appreciate the info! I feel I have misunderstood some aspects related to FIPS keys and will need to do a bit of research. The keys are certainly exportable in the fact that HSMs in the same security domain must sync with each other. I did not know manual key export is possible - it sounds as though the exported key is encrypted an useable only in the same security domain, yes? I won't hold up your original thread - appreciate the correction to my understanding!