Jump to content

How to upgrade cert on BIG-IQ CM


Recommended Posts

I have a requirement to update the cert and key for our BIG-IQ appliance so when we go to https://bigiq.int.hosangit.com then we don't get the cert error and its secure.

I export the cert/key via Venafi using PEM (OpenSSL) format and make sure I click export .crt/.key separate (so its not all in one file with .PEM).

Anyone have suggestions?

Link to comment
Share on other sites

I can tell you how I do it even though it may not be the proper way but it works.  So we also use venafi and when we download a cert from venafi we need to add a password to the file which encrypts it so you can't just upload it to bigiq like the article says (K52425065) so I "cheat" by export the cert via PKCS#12 (pfx file) and then import the pfx file on a lab F5 box using the password which then decrypts the crt and key.

Example try this

FIRST (VERY IMPORTANT) backup what you have now

cp /config/httpd/conf/ssl.crt/server.crt.default /config/httpd/conf/ssl.crt/server.crt
cp /config/httpd/conf/ssl.key/server.key.default /config/httpd/conf/ssl.key/server.key

ROLLBACK only if issues

tmsh stop sys service webd

cp /config/httpd/conf/ssl.crt/server.crt.default /config/httpd/conf/ssl.crt/server.crt
cp /config/httpd/conf/ssl.key/server.key.default /config/httpd/conf/ssl.key/server.key

tmsh restart sys service webd


Is your key encrypted with a password?

vi bigiq.int.hosang.com.key
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,A6DA7F14FC68AD8C841D8F666AD8F0B7


You see it says ENCRYPTED which if you use this key bigiq won't be able to read it and you will get a bunch of errors when you restart webd that look like this"

2022 Aug  8 16:35:39 bigiq.int.hosangit.com logger[25539]: Re-starting webd

Broadcast message from systemd-journald@bigiq.int.hosangit.com (Mon 2022-08-08 16:35:40 EDT):

logger[25677]: Re-starting webd

If you have debug enabled on webd you'll see in /var/log/webd_errors.log


2022/08/08 16:50:55 [emerg] 6022#0: cannot load certificate key "/etc/httpd/conf/ssl.key/server.key": PEM_read_bio_PrivateKey() failed (SSL: error:0906406D:PEM routines:PEM_def_callback:problems getting password error:0906A068:PEM routines:PEM_do_header:bad password read)

Which the above message calls out pretty clearly the password is set on the .key still


You have two choices here

  1. try and decrypt the key
  2. import the file on a test F5 and have it do the decryption for you


openssl rsa -in bigiq.int.hosang.com.key -out bigiq.int.hosang.comC.key

Now check out the key

vi bigiq.int.hosang.comC.key

You see no Encryption, just jumps right into the key which is what we want.


Now that we have the key clean and ready to be used you have to make sure the crt includes the intermediate crts so you need to create a bundle as your .crt file

cat /shared/tmp/bigiq.int.hosang.com.crt <(echo -e \\r) "/shared/tmp/hosangIT Issuing CA 01.crt" <(echo -e \\r) > /config/httpd/conf/ssl.crt/server.crt

Now move over the updated cert/key and restart services

mv /shared/tmp/bigiq.int.hosangit.com.crt /config/httpd/conf/ssl.crt/server.crt
mv /shared/tmp/bigiq.int.hosangit.comC.key /config/httpd/conf/ssl.key/server.key

tmsh restart sys service webd



In this case I would download from venafi the PKCS #12 (which is the .pfx file)


Now head over to the GUI of your F5 BIG-IP and scroll down to System - Certificate Management - Traffic Certificate Management - SSL Certificate List

Click Import

Select Import Type: PKCS 12

Certificate and Key Name: New


Click Import

Now the cert is on the F5 unencrypted

Go back to System - Certificate Management - Traffic Certificate Management - SSL Certificate List and click on bigiq.int.hosangit.com

Now click on Certificate tab and at the bottom click Export and you can either copy everything shown that is grayed out and paste it into a new file ending with .crt OR just click download

NEXT back on the F5, click on the Key tab and click Export and you have the same options as you did with the cert

Both the cert and key download without the correct file extension so go to your downloads area and make sure you add .crt at the end of the .crt and .key at the end of the key

Now that you have the .crt and .key move them over and restart services

mv /shared/tmp/bigiq.int.hosangit.com.crt /config/httpd/conf/ssl.crt/server.crt
mv /shared/tmp/bigiq.int.hosangit.comC.key /config/httpd/conf/ssl.key/server.key

tmsh restart sys service webd

If errors, follow rollback as stated above.

Link to comment
Share on other sites

  • Create New...