Last Modified: Jul 12, 2023
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1
Fixed In:
14.1.0
Opened: Mar 13, 2018 Severity: 3-Major Related Article:
K10211160
Cannot use iControl SOAP commands or the GUI to generate SSL certificate or CSR for a SSL key that is protected by password.
Unable to generate a certificate or CSR for a key using iControl SOAP or the GUI.
The SSL key is password-protected. That is, the key file has the below pattern as prefix. [root@big3:Active:Standalone] shared # head -2 test12345.key -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED
You can use the following workarounds: Workaround A: Use tmsh to create the certificate or CSR. To do so, follow this procedure: 1. Run a command similar to the following: tmsh create sys crypto cert test12345 key test12345 common-name cn 2. Enter the PEM pass phrase: <<input the key's password>> 3. Run a command similar to the following: tmsh create sys crypto csr test12345 key test12345 common-name cn 4. Enter the PEM pass phrase: <<input the key's password>> Workaround B: Generate the certificate and CSR file using OpenSSL commands and then import them onto the BIG-IP system. 1. Run a command similar to the following: openssl req -x509 -sha256 -days 365 -key test12345.key -in test12345.csr -out test12345.crt 2. Enter the pass phrase for test12345.key: 12345 3. Run a command similar to the following: tmsh install sys crypto cert test12345 from-local-file /shared/test12345.crt 4. Run a command similar to the following: tmsh install sys crypto csr test12345 from-local-file /shared/test12345.csr
Can now use iControl SOAP commands or the GUI to generate SSL certificate or CSR for a SSL key that is protected by password.