Last Modified: Oct 17, 2023
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.0.0
Opened: Jan 30, 2015 Severity: 3-Major Related Article:
K21403580
The command 'tmsh install sys crypto key test security-type fips' should be able to change the security-type for the key from normal to FIPS without problem. However it asks for source-patch: 'must specify at least one of from-editor, from-local-file, or from-url'.
Unable to install a FIPS key using an existing normal key.
This issue occurs when both of the following conditions are met: -- The existing key has no (.key) suffix in its name. For example, tmsh list sys crypto key sys crypto key test { <----- name has no '.key' key-size 2048 key-type rsa-private security-type normal } -- The system is configured and licensed for FIPS.
1. Recreate (or reinstall) the existing key/cert pair so that both of them have an extension (.key) in the names, using the tmsh command 'create (or install) sys crypto key' and 'create (or install) sys crypto cert', as shown in the following example: tmsh list sys crypto key my_2048.key sys crypto key my_2048.key { <------- name has '.key' key-size 2048 <<< trimmed >>> tmsh list sys crypto cert my_2048.crt sys crypto cert my_2048.crt { <------- name has '.crt' <<< trimmed >>> 2. Then the command 'tmsh install sys crypto key my_2048 security-type fips' should work without problem.
With the fix, the command 'tmsh install sys crypto key test security-type fips' works for existing keys without extension (.key) as well.