Hi, Am trying to renew the wildcard certificate for our main domain. The CSR is generated elsewhere ( ie not on the F5 ), and have the cert/key from a CA already. The current certificate/key is in use. Trying to update either the certificate or the key, results in the F5 complaining that the key does not match the certificate or vice versa. So, several workarounds to do this would be to delete the certificate/key pair and recreate, or add the certificate/key under a new name. Either one involoves enourmous pain, as the certificate is used by hundreds of iApps ( coding involved ). Does anyone have an alternate suggestion. Seems I cannot be the only person with this issue, but so far as I can find, it seems like a unique problem? Help or suggestions appreciated error message v11.4 01070313:3: Error reading key PEM file /config/filestore/files_d/Common_d/certificate_key_d/:Common:star.mydomain.com.key_12345_1 for profile /Common/myapp.app/myapp_as_client-ssl: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

So another option could be that you create a new certificate and key pair, and then manually edit /config/bigip.conf and replace every instance of the previous certificate and key with the new certificate and key in each of your SSL profiles. Once done, perform a 'tmsh load sys config'. This might also be a bit tedious, but less so than doing it by clicking through the GUI.

Have you tried just deleting either the key or the certificate, and then importing the new one that you didn't delete? For example, delete the certificate, then import the new key, then import the new certificate.

did you try adding the new Certificate and key as a new pair? Then apply it to the in-use ssl profile? I can't see how you could update the existing certificate and key when its in use and neither the new key or Cert would match the old one that still needs to be changed.

The best way is to use a new name for key and certificate and update key&certificate in ssl profile. in this way ssl profile name would remain same.

Cory, Deleting key or cert is not possible, as they are in use. So, F5 ( by design ) does not let you do this. afedden, Yes, you can do this, but, and here is maybe a design issue for me, all my iApps use a different ssl profile. So, every iApp has a unique ssl profile ( maybe not my finiest moment of design ). So, maybe there is where the uniqueness of my issue comes. I opted to have one ssl profile per iApp. Now I have several hundred iApps and several hundred ssl profiles. Yes, seems crazy now written down, and hindsight is a wonderfull thing, but the basic issue, is a simple change of certificate/key has turned into a pretty major change affecting every iAPP.

Cory, That sounds like a good option. I particularly dislike leaving old keys around, but once the change is done, then I could delete them. In fact, once I do the above, then I could reimport the new new cert/key combo and use the old name, and then do the same search and replace and delete the new name. An odd way to do things, but quite workable. all else fails, this seems like a good option. thanks

Cannot Renew Certifcate and private key ( but keep the same name in F5 config )

20 Replies

Cory_50405
Noctilucent
Apr 16, 2014
Have you tried just deleting either the key or the certificate, and then importing the new one that you didn't delete? For example, delete the certificate, then import the new key, then import the new certificate.
afedden_1985
Cirrus
Apr 16, 2014
did you try adding the new Certificate and key as a new pair? Then apply it to the in-use ssl profile? I can't see how you could update the existing certificate and key when its in use and neither the new key or Cert would match the old one that still needs to be changed.
Emad
Cirrostratus
Apr 16, 2014
The best way is to use a new name for key and certificate and update key&certificate in ssl profile. in this way ssl profile name would remain same.
elastic_82555
Nimbostratus
Apr 16, 2014
Cory, Deleting key or cert is not possible, as they are in use. So, F5 ( by design ) does not let you do this.

afedden, Yes, you can do this, but, and here is maybe a design issue for me, all my iApps use a different ssl profile. So, every iApp has a unique ssl profile ( maybe not my finiest moment of design ). So, maybe there is where the uniqueness of my issue comes. I opted to have one ssl profile per iApp. Now I have several hundred iApps and several hundred ssl profiles. Yes, seems crazy now written down, and hindsight is a wonderfull thing, but the basic issue, is a simple change of certificate/key has turned into a pretty major change affecting every iAPP.
Cory_50405
Noctilucent
Apr 16, 2014
So another option could be that you create a new certificate and key pair, and then manually edit /config/bigip.conf and replace every instance of the previous certificate and key with the new certificate and key in each of your SSL profiles. Once done, perform a 'tmsh load sys config'. This might also be a bit tedious, but less so than doing it by clicking through the GUI.
elastic_82555
Nimbostratus
Apr 16, 2014
Cory, That sounds like a good option. I particularly dislike leaving old keys around, but once the change is done, then I could delete them. In fact, once I do the above, then I could reimport the new new cert/key combo and use the old name, and then do the same search and replace and delete the new name. An odd way to do things, but quite workable.

all else fails, this seems like a good option. thanks
- Cory_50405
  Noctilucent
  Apr 16, 2014
  Be sure to back up your bigip.conf file just in case something goes awry.
elastic_82555
Nimbostratus
Apr 17, 2014
Hi, Here is the process.

Background reading, http://support.f5.com/kb/en-us/solutions/public/14000/600/sol14620.html14

Backup bigip.conf
import new cert/key into F5 via gui named - samenamecert170414 - ie same name but with date added on end
reconfig one iApp to use new cert/key
edit bigip.conf search/replace samenamecert.key and samenamecert.crt to samenamecert170414.key and samenamecert170414.crt respectively, except for 6 lines as follows, 3 for key and 3 for crt

sys file ssl-cert /Common/samenamecert.crt { cache-path /config/filestore/files_d/Common_d/certificate_d/:Common:samenamecert.crt_67272_1 ( this number will be different ) revision 1 source-path /config/ssl/ssl.crt/samenamecert.crt sys file ssl-key /Common/samenamecert.key { cache-path /config/filestore/files_d/Common_d/certificate_key_d/:Common:samenamecert.key_67268_1 ( this number will be different ) revision 1 source-path /config/ssl/ssl.key/samenamecert.key

Relaod the config tmsh load sys config

Delete original "samenamecert"

import new cert/key into F5 via gui names - samenamecert - ie the original cert name
reconfig one iApp to use samename cert/key ie back to the original name
edit bigip.conf search/replace samenamecert170414.key and samenamecert179414.crt to samenamecert.key and samenamecert.crt respectively, except for 6 lines as follows, 3 for key and 3 for crt

sys file ssl-cert /Common/samenamecert170414.crt { cache-path /config/filestore/files_d/Common_d/certificate_d/:Common:samenamecert170414.crt_67272_1 ( this number will be different ) revision 1 source-path /config/ssl/ssl.crt/samenamecert170414.crt sys file ssl-key /Common/samenamecert170414.key { cache-path /config/filestore/files_d/Common_d/certificate_key_d/:Common:samenamecert170414.key_67268_1 ( this number will be different ) revision 1 source-path /config/ssl/ssl.key/samenamecert170414.key

tmsh load sys config
delete the samenamecert170414 cert/key
Check the cert has the correct serial number. IMPORTANT! System ›› File Management : SSL Certificate List ›› samenamecert
Check via a browser that you are getting the correct certificate served, taking a stastically valid sample of your affected domains/applications
Job done.

Pretty simple really. All due to a certificate change. This should really be so much easier.

NB. Currently I have only done this on the standby node. I am awating permission to failover and do a replication. Will update as soon as...
- Cory_50405
  Noctilucent
  Apr 17, 2014
  Your thoroughness and attention to detail is impressive.
- Emad_26973
  Cirrus
  Apr 17, 2014
  :)
elastic_82555
Nimbostratus
Apr 22, 2014
Hi, Ok today I was able to flip over from active to standby. Synchronized both F5's after the flip from active to standy ( standby had the config changes ). On both F5's the certificate seems to be the correct one ( checking the serial number ). However all the VS's are still supplying the old certifcate ( verified by the old serial number still being present ). Have cleared browser caches, and indeed used a virgin vm with a browser, and yes the old certificate is still being served. Seems like something else needs to be done. Ideas welcomed. ( am looking into it at the moment )
- elastic_82555
  Nimbostratus
  Apr 22, 2014
  Hi, sorry folks, this was a false alarm, the process I discribed works exactly as is. Had some issues locally with old iApps that are no longer used ( DNS pointing to other F5 ). This was the reason for above comment, and maybe I should have done more testing before posting. Lesson learned. Anyway process all good, and both F5's working, with new certificate.
- Cory_50405
  Noctilucent
  Apr 22, 2014
  Good to hear. Thanks for following up.

nitass_89166

Noctilucent

Apr 22, 2014

this is my testing. is it same as yours?

0. existing certificate and key

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.10:443
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        myclientssl {
            context clientside
        }
        tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 17
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile client-ssl myclientssl
ltm profile client-ssl myclientssl {
    app-service none
    cert-key-chain {
        one {
            cert one.crt
            key one.key
        }
    }
    defaults-from clientssl
}

1. verify certificate from virtual server

[root@ve11a:Active:In Sync] config  echo | openssl s_client -connect 172.28.24.10:443 2>/dev/null | openssl x509 -noout -subject -issuer
subject= /C=US/CN=one
issuer= /C=US/CN=one

2. install new certificate and key

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) install sys crypto cert two from-local-file /var/tmp/two.crt
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) install sys crypto key two from-local-file /var/tmp/two.key

3. verify new certificate and key

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys crypto cert two.crt
sys crypto cert two.crt {
    certificate-key-size 2048
    city
    common-name two
    country US
    email-address
    expiration Apr 22 08:31:58 2015 GMT
    organization
    ou
    public-key-type RSA
    state
    subject-alternative-name
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys crypto key two.key
sys crypto key two.key {
    key-size 2048
    key-type rsa-private
    security-type normal
}

4. save configuration

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) save sys config
Saving running configuration...
  /config/bigip.conf
  /config/bigip_base.conf
  /config/bigip_user.conf
Saving Ethernet mapping...done

5. manually modify bigip.conf

ltm profile client-ssl /Common/myclientssl {
    app-service none
    cert-key-chain {
        one {
            cert /Common/two.crt
            key /Common/two.key
        }
    }
    defaults-from /Common/clientssl
}

6. reload configuration

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) load sys config
Loading system configuration...
  /defaults/asm_base.conf
  /defaults/config_base.conf
  /defaults/low_profile_base.conf
  /defaults/low_security_base.conf
  /defaults/policy_base.conf
  /defaults/wam_base.conf
  /defaults/analytics_base.conf
  /defaults/apm_saml_base.conf
  /defaults/app_template_base.conf
  /defaults/classification_base.conf
  /defaults/daemon.conf
  /defaults/fullarmor_gpo_base.conf
  /defaults/profile_base.conf
  /defaults/sandbox_base.conf
  /defaults/security_base.conf
  /defaults/urldb_base.conf
  /usr/share/monitors/base_monitors.conf
Loading configuration...
  /config/bigip_base.conf
  /config/bigip_user.conf
  /config/bigip.conf

7. verify certificate from virtual server

[root@ve11a:Active:In Sync] config  echo | openssl s_client -connect 172.28.24.10:443 2>/dev/null | openssl x509 -noout -subject -issuer
subject= /C=US/CN=two
issuer= /C=US/CN=two

elastic_82555
Nimbostratus
Apr 22, 2014
Hi, without being exhaustive it looks similar. However, the only way to identify new certs versus old is with the serial number/fingerprint, so command used locally... echo | openssl s_client -connect 10.1.2.11:443 2>&1|openssl x509 -noout -serial This should print out your serial number of your cert. Old and new certs should have different serial numbers
ishan4386_20603
Nimbostratus
Apr 18, 2017
Same issue happened with me. I have deleted the key from F5 and then later import the key in F5. These time while uploading the certificate I used the same name of the Exported Private key. Previously while uploading the certificate I used a new Certificate name due to which this error happened.

nitass

Employee

Apr 22, 2014

this is my testing. is it same as yours?

0. existing certificate and key

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.10:443
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        myclientssl {
            context clientside
        }
        tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 17
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile client-ssl myclientssl
ltm profile client-ssl myclientssl {
    app-service none
    cert-key-chain {
        one {
            cert one.crt
            key one.key
        }
    }
    defaults-from clientssl
}

1. verify certificate from virtual server

[root@ve11a:Active:In Sync] config  echo | openssl s_client -connect 172.28.24.10:443 2>/dev/null | openssl x509 -noout -subject -issuer
subject= /C=US/CN=one
issuer= /C=US/CN=one

2. install new certificate and key

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) install sys crypto cert two from-local-file /var/tmp/two.crt
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) install sys crypto key two from-local-file /var/tmp/two.key

3. verify new certificate and key

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys crypto cert two.crt
sys crypto cert two.crt {
    certificate-key-size 2048
    city
    common-name two
    country US
    email-address
    expiration Apr 22 08:31:58 2015 GMT
    organization
    ou
    public-key-type RSA
    state
    subject-alternative-name
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys crypto key two.key
sys crypto key two.key {
    key-size 2048
    key-type rsa-private
    security-type normal
}

4. save configuration

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) save sys config
Saving running configuration...
  /config/bigip.conf
  /config/bigip_base.conf
  /config/bigip_user.conf
Saving Ethernet mapping...done

5. manually modify bigip.conf

ltm profile client-ssl /Common/myclientssl {
    app-service none
    cert-key-chain {
        one {
            cert /Common/two.crt
            key /Common/two.key
        }
    }
    defaults-from /Common/clientssl
}

6. reload configuration

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) load sys config
Loading system configuration...
  /defaults/asm_base.conf
  /defaults/config_base.conf
  /defaults/low_profile_base.conf
  /defaults/low_security_base.conf
  /defaults/policy_base.conf
  /defaults/wam_base.conf
  /defaults/analytics_base.conf
  /defaults/apm_saml_base.conf
  /defaults/app_template_base.conf
  /defaults/classification_base.conf
  /defaults/daemon.conf
  /defaults/fullarmor_gpo_base.conf
  /defaults/profile_base.conf
  /defaults/sandbox_base.conf
  /defaults/security_base.conf
  /defaults/urldb_base.conf
  /usr/share/monitors/base_monitors.conf
Loading configuration...
  /config/bigip_base.conf
  /config/bigip_user.conf
  /config/bigip.conf

7. verify certificate from virtual server

[root@ve11a:Active:In Sync] config  echo | openssl s_client -connect 172.28.24.10:443 2>/dev/null | openssl x509 -noout -subject -issuer
subject= /C=US/CN=two
issuer= /C=US/CN=two

elastic_82555
Nimbostratus
Apr 22, 2014
Hi, without being exhaustive it looks similar. However, the only way to identify new certs versus old is with the serial number/fingerprint, so command used locally... echo | openssl s_client -connect 10.1.2.11:443 2>&1|openssl x509 -noout -serial This should print out your serial number of your cert. Old and new certs should have different serial numbers
ishan4386_20603
Nimbostratus
Apr 18, 2017
Same issue happened with me. I have deleted the key from F5 and then later import the key in F5. These time while uploading the certificate I used the same name of the Exported Private key. Previously while uploading the certificate I used a new Certificate name due to which this error happened.

Forum Discussion

Cannot Renew Certifcate and private key ( but keep the same name in F5 config )

20 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

BIG-IP Orchestrate in private Data Center using Terraform Cloud Agent

Using F5 Distributed Cloud private connectivity orchestration for secure multi-cloud infrastructure

Using F5 Distributed Cloud Network Connect to transit, route, & secure private cloud environments

Using NGINX Plus Ingress Controller Image from AWS Marketplace with EKS and Private Offers

Generate private key w/ CSR via iControl REST