Bug ID 478195: Installation of FIPS .exp key files sets incorrect public exponent.

Last Modified: Feb 13, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.0.0, 11.1.0, 11.2.0, 11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4

Fixed In:
12.0.0, 11.6.0 HF5, 11.5.2

Opened: Sep 05, 2014
Severity: 3-Major
Related AskF5 Article:


Newer FIPS platforms use NGFIPS devices, which seem to be returning the public exponent in little-endian format, when the FIPS exported keys (.exp key files) are imported into FIPS cards. Since F5's code was expecting this in big-endian format, this leads to incorrect public exponent value being written in the key file.


If the corresponding certificate was copied from box1 to box2 and then installed on box2, configuring this key/cert on a SSL profile will lead to the error 'key and certificate do not match'. If the corresponding certificate is newly created on box2 after the key install, then SSL traffic using this key/cert will fail.


Using FIPS platforms (except the older 8900/6900 FIPS platforms): 1. Put two FIPS platforms in the same FIPS security domain without configuring them in a device group. 2. Create or install a key into FIPS card on box1. 3. Copy the key's FIPS exported key (from /config/ssl/ssl.cavfips/) to box2. 4. Install this FIPS .exp key file on box2 using: 'tmsh install sys crypto key <keyname> from-local-file <.exp file path> security-type fips'



Fix Information

FIPS exported keys can now be correctly installed on other FIPS platforms that belong to the same FIPS security domain.

Behavior Change