Bug ID 503877: cannot install existing key from normal security-type to fips security-type

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4

Fixed In:
12.0.0

Opened: Jan 30, 2015
Severity: 3-Major
Related AskF5 Article:
K21403580

Symptoms

The command 'tmsh install sys crypto key test security-type fips' should be able to change the security-type for the key from normal to FIPS without problem. However it asks for source-patch: 'must specify at least one of from-editor, from-local-file, or from-url'.

Impact

Unable to install a FIPS key using an existing normal key.

Conditions

This issue occurs when both of the following conditions are met: -- The existing key has no (.key) suffix in its name. For example, tmsh list sys crypto key sys crypto key test { <----- name has no '.key' key-size 2048 key-type rsa-private security-type normal } -- The system is configured and licensed for FIPS.

Workaround

1. Recreate (or reinstall) the existing key/cert pair so that both of them have an extension (.key) in the names, using the tmsh command 'create (or install) sys crypto key' and 'create (or install) sys crypto cert', as shown in the following example: tmsh list sys crypto key my_2048.key sys crypto key my_2048.key { <------- name has '.key' key-size 2048 <<< trimmed >>> tmsh list sys crypto cert my_2048.crt sys crypto cert my_2048.crt { <------- name has '.crt' <<< trimmed >>> 2. Then the command 'tmsh install sys crypto key my_2048 security-type fips' should work without problem.

Fix Information

With the fix, the command 'tmsh install sys crypto key test security-type fips' works for existing keys without extension (.key) as well.

Behavior Change