Last Modified: Nov 07, 2022
Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1
13.1.0, 12.1.3, 11.6.2
Opened: May 05, 2017 Severity: 3-Major
When using "fipskey.nethsm --export -i /shared/tmp/testkey.pem -o thaleskey" to export a key file from BIG-IP and import into HSM, the HSM fails to generate the stub key at /config/ssl/ssl.key/ on the BIG-IP system.
Even the key has been stored in HSM, the BIG-IP is still unable to use it because of its lacking stub key to be configured on the BIG-IP system.
-- Thales HSM is installed. -- Running 'fipskey.nethsm --export' to export a key file from BIG-IP and import it to the Thales HSM.
This can be worked around by directly using the Thales command, for example: [root@localhost:Active:Standalone] config # generatekey --import pkcs11 certreq=yes type: Key type? (DES3, RSA, DES2) [RSA] > pemreadfile: PEM file containing RSA key?  > /shared/tmp/testkey.pem embedsavefile: Filename to write key to?  > /config/ssl/ssl.key/thales2 plainname: Key name?  > thales2 x509country: Country code?  > US x509province: State or province?  > WA x509locality: City or locality?  > x509org: Organisation?  > F5 x509orgunit: Organisation unit?  > AS x509dnscommon: Domain name?  > x509email: Email address?  > firstname.lastname@example.org nvram: Blob in NVRAM (needs ACS)? (yes/no) [no] > digest: Digest to sign cert req with? (md5, sha1, sha256, sha384, sha512) [default sha1] >
When using 'fipskey.nethsm --export -i /shared/tmp/testkey.pem -o thaleskey' to export a key file from BIG-IP and import into HSM, the HSM now generates a stub key and stores it at /config/ssl/ssl.key/ on the BIG-IP system, as expected.