Bug ID 674689: ECDSA Key management support on BIG-IP using Thales and SafeNet external network HSM

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1

Fixed In:
14.0.0

Opened: Jul 19, 2017
Severity: 1-Blocking

Symptoms

There is no support for ECDSA key management on BIG-IP systems using external network HSM on Thales and SafeNet.

Impact

ECDSA Keys and Certificates cannot be created on external network HSM such as Thales and SafeNet on BIG-IP systems.

Conditions

Creating ECDSA keys and certificates using tmsh/GUI and iControl. e.g., tmsh create sys crypto key ec_nethsm key-type ec-private curve- name prime256v1 security-type nethsm tmsh create sys crypto cert ec_nethsm key ec_nethsm common-name www.ecdsa.com

Workaround

No workaround.

Fix Information

ECDSA Key/cert management using external network HSM such as Thales and SafeNet is now supported on BIG-IP systems. The feature provides support on BIG-IP systems for external network HSM to create/list/delete/ operation for ECDSA keys and certificates along with using ECDSA sign operation during SSL handshake.

Behavior Change