Bug ID 663326: Thales HSM: "fipskey.nethsm --export" fails to make stub keys

Last Modified: Oct 01, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0, 12.1.3, 11.6.2

Opened: May 05, 2017
Severity: 3-Major


When using "fipskey.nethsm --export -i /shared/tmp/testkey.pem -o thaleskey" to export a key file from BIG-IP and import into HSM, the HSM fails to generate the stub key at /config/ssl/ssl.key/ on the BIG-IP system.


Even the key has been stored in HSM, the BIG-IP is still unable to use it because of its lacking stub key to be configured on the BIG-IP system.


-- Thales HSM is installed. -- Running 'fipskey.nethsm --export' to export a key file from BIG-IP and import it to the Thales HSM.


This can be worked around by directly using the Thales command, for example: [root@localhost:Active:Standalone] config # generatekey --import pkcs11 certreq=yes type: Key type? (DES3, RSA, DES2) [RSA] > pemreadfile: PEM file containing RSA key? [] > /shared/tmp/testkey.pem embedsavefile: Filename to write key to? [] > /config/ssl/ssl.key/thales2 plainname: Key name? [] > thales2 x509country: Country code? [] > US x509province: State or province? [] > WA x509locality: City or locality? [] > x509org: Organisation? [] > F5 x509orgunit: Organisation unit? [] > AS x509dnscommon: Domain name? [] > x509email: Email address? [] > test@test.com nvram: Blob in NVRAM (needs ACS)? (yes/no) [no] > digest: Digest to sign cert req with? (md5, sha1, sha256, sha384, sha512) [default sha1] >

Fix Information

When using 'fipskey.nethsm --export -i /shared/tmp/testkey.pem -o thaleskey' to export a key file from BIG-IP and import into HSM, the HSM now generates a stub key and stores it at /config/ssl/ssl.key/ on the BIG-IP system, as expected.

Behavior Change