I am trying to import a key using key_import_from_pem(...); and keep getting the following error: System.Web.Services.Protocols.SoapHeaderException: Exception caught in Management::KeyCertificate::key_import_from_pem() Exception: Common::OperationFailed primary_error_code : -7 (0xFFFFFFF9) secondary_error_code : 0 error_string : error:0906D06C:PEM routines:PEM_read_bio:no start line The key was generated on another BigIP using key_generate(...); and then exported using key_export_to_pem(...); So the format should be correct. Let me know what i can try. Thanks,

That error message comes from our ssl libraries when trying to load the content of the supplied key. Are you returning the same string as the one returned from the key_export_to_pem() method or are you storing it and reloading it later. Could it be there are extra newlines or something else in it that is different from the original value returned? Without more details it's hard for us to diagnose any issues. Also, your dev environment will help us try to reproduce your issue as each client environment behaves a bit differently when debugging. Any code snippets you can supply would help us also. -Joe

I using C. Code to gen and retrieve the key: ManagementKeyCertificateKey[] keys = new ManagementKeyCertificateKey[1]; keys[0] = new ManagementKeyCertificateKey(); keys[0].id = "test"; keys[0].key_type = ManagementKeyCertificateKeyType.KTYPE_RSA_PRIVATE; keys[0].bit_length = 1024; keys[0].security = ManagementKeyCertificateSecurityType.STYPE_NORMAL; ManagementKeyCertificateX509Data[] x509Data = new ManagementKeyCertificateX509Data[1]; x509Data[0] = new ManagementKeyCertificateX509Data(); x509Data[0].common_name = "test.com"; x509Data[0].country_name = "US"; x509Data[0].division_name = "Test"; x509Data[0].locality_name = "Test"; x509Data[0].organization_name = "Test"; x509Data[0].state_name = "Utah"; string[] saCsrIds = new string[1]; saCsrIds[0] = "test"; mng.key_generate (ManagementKeyCertificateManagementModeType.MANAGEMENT_MODE_DEFAULT, keys, x509Data, true, true); string[] saKey = mng.key_export_to_pem(ManagementKeyCertificateManagementModeType.MANAGEMENT_MODE_DEFAULT, saCsrIds); foreach(string sKeyText in saKey) { sReturnKeyText = sKeyText; } Code used to import key: string[] KeyIds = new string[1]; KeyIds[0] = "test"; string[] saKeyText = new string[1]; saKeyText[0] = sReturnKeyText; mng.key_import_from_pem(ManagementKeyCertificateManagementModeType.MANAGEMENT_MODE_DEFAULT, KeyIds, saKeyText, true); The key is stored in a database and pulled out when it is needed for the import. This does not seem to be a problem since if i gen the key on one BigIP and delete that key then let my app iport that key it is fine. The only time i see the error is if i try to import the key to a different BigIP. Thanks for the quick response.

So, it looks like you passed in the create_optional_cert_csr flag in key_generate() to enable creation of a certificate and certificate request (CSR). This will generate a key and certificate on device 1. You then are downloading the key from device one and it works when you upload it to device 1. But when you try to upload it to device 2 you are getting this error. Could it be that the key is tied to the certificate created in the key_generate() command? I'm not super familiar with the underlying libraries in this code so I'll check on this but that is my initial thought. When I get an update I'll let you know. -Joe

I am puting the key and cert on device 2 to them in sync. If there is a better way to do this let me know.

Use the archive operations, which will grab keys, certs, csrs... Loc

Unable to import SSL Key using "key_import_from_pem"

13 Replies

Joe_Pruitt
Sep 18, 2006
Ok, I wrote a C app to do steps 1-4 above and every step worked for me. In my setup, I'm using a dev build of 9.4 for device 1 and a fairly old 9.0.5 for my device 2. This is looking like it's tied to your specific version of BIG-IP you are running.

Unfortunately, there isn't much more that we can do here as I've verified your logic and usage of the APIs is correct and functions on at least some versions of the platforms (I cut and pasted your code word-for-word). The only difference could be that my app keeps the key value in memory between the export and the import to the secondary device. Not sure if your storage in the database could be the issue or not. But, since you say it's only when importing to a secondary device, then that probably isn't the issue.

I'm going to have to forward you back to product technical support and you should mention that this has been tested by the staff at DevCentral and the logic is correct so it has to be tied to your specific product version. Then the case can get escalated to our dev support team to take a look at your specific configuration and version to try to recreate the issue there.

Sorry about passing the buck back and forth. Let us know how things work out.

-Joe
Ben_Skolmoski_1
Nimbostratus
Sep 18, 2006
Thanks for the help i have re-submitted the case to the support folks we'll see how things go.

Thanks again,
Ben_Skolmoski_1
Nimbostratus
Sep 19, 2006
I did try to import the key without sticking it the db first and it made no difference. I have tried to re-open my ticket with your support people with no luck. Oh well nothing you can do about that I will just keep trying.

Thanks,

Forum Discussion

Unable to import SSL Key using "key_import_from_pem"

13 Replies

Recent Discussions

CONSULT CRYPTO RECOVERY EXPERT FROM SWIFT DREAM WEB CONSULTANTS

SIGSEGV on 15.1.10.x

F5 - insert http header on redirect and carry it over to the redirected site?

Cookie insert via http:redirect - can it be configured "secure"?

I RECOVERED MY DIGITAL ASSETS LOST TO FAKE FOREX BROKER

Related Content

import f5!

Security for IoT Devices and Why It’s Important

Import certificate as pfx format

Unable to access GUI

Creating, Importing and Assigning a CA Certificate Bundle