Last Modified: Apr 10, 2019
See more info
Known Affected Versions:
11.0.0, 11.1.0, 11.2.0, 11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4
12.0.0, 11.6.0 HF5, 11.5.2
Opened: Sep 05, 2014
Related AskF5 Article: K16928
Newer FIPS platforms use NGFIPS devices, which seem to be returning the public exponent in little-endian format, when the FIPS exported keys (.exp key files) are imported into FIPS cards. Since F5's code was expecting this in big-endian format, this leads to incorrect public exponent value being written in the key file.
If the corresponding certificate was copied from box1 to box2 and then installed on box2, configuring this key/cert on a SSL profile will lead to the error 'key and certificate do not match'. If the corresponding certificate is newly created on box2 after the key install, then SSL traffic using this key/cert will fail.
Using FIPS platforms (except the older 8900/6900 FIPS platforms): 1. Put two FIPS platforms in the same FIPS security domain without configuring them in a device group. 2. Create or install a key into FIPS card on box1. 3. Copy the key's FIPS exported key (from /config/ssl/ssl.cavfips/) to box2. 4. Install this FIPS .exp key file on box2 using: 'tmsh install sys crypto key <keyname> from-local-file <.exp file path> security-type fips'
FIPS exported keys can now be correctly installed on other FIPS platforms that belong to the same FIPS security domain.