Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.6.1, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1
Fixed In:
13.1.0, 12.1.3, 11.6.2
Opened: May 05, 2017 Severity: 3-Major
When using "fipskey.nethsm --export -i /shared/tmp/testkey.pem -o thaleskey" to export a key file from BIG-IP and import into HSM, the HSM fails to generate the stub key at /config/ssl/ssl.key/ on the BIG-IP system.
Even the key has been stored in HSM, the BIG-IP is still unable to use it because of its lacking stub key to be configured on the BIG-IP system.
-- Thales HSM is installed. -- Running 'fipskey.nethsm --export' to export a key file from BIG-IP and import it to the Thales HSM.
This can be worked around by directly using the Thales command, for example: [root@localhost:Active:Standalone] config # generatekey --import pkcs11 certreq=yes type: Key type? (DES3, RSA, DES2) [RSA] > pemreadfile: PEM file containing RSA key? [] > /shared/tmp/testkey.pem embedsavefile: Filename to write key to? [] > /config/ssl/ssl.key/thales2 plainname: Key name? [] > thales2 x509country: Country code? [] > US x509province: State or province? [] > WA x509locality: City or locality? [] > x509org: Organisation? [] > F5 x509orgunit: Organisation unit? [] > AS x509dnscommon: Domain name? [] > x509email: Email address? [] > test@test.com nvram: Blob in NVRAM (needs ACS)? (yes/no) [no] > digest: Digest to sign cert req with? (md5, sha1, sha256, sha384, sha512) [default sha1] >
When using 'fipskey.nethsm --export -i /shared/tmp/testkey.pem -o thaleskey' to export a key file from BIG-IP and import into HSM, the HSM now generates a stub key and stores it at /config/ssl/ssl.key/ on the BIG-IP system, as expected.