guru Posted August 8, 2022 Share Posted August 8, 2022 I have a requirement to update the cert and key for our BIG-IQ appliance so when we go to https://bigiq.int.hosangit.com then we don't get the cert error and its secure. I export the cert/key via Venafi using PEM (OpenSSL) format and make sure I click export .crt/.key separate (so its not all in one file with .PEM). Anyone have suggestions? Link to comment Share on other sites More sharing options...
Cowboy Denny Posted August 9, 2022 Share Posted August 9, 2022 I can tell you how I do it even though it may not be the proper way but it works. So we also use venafi and when we download a cert from venafi we need to add a password to the file which encrypts it so you can't just upload it to bigiq like the article says (K52425065) so I "cheat" by export the cert via PKCS#12 (pfx file) and then import the pfx file on a lab F5 box using the password which then decrypts the crt and key. Example try this FIRST (VERY IMPORTANT) backup what you have now cp /config/httpd/conf/ssl.crt/server.crt.default /config/httpd/conf/ssl.crt/server.crt cp /config/httpd/conf/ssl.key/server.key.default /config/httpd/conf/ssl.key/server.key ROLLBACK only if issues tmsh stop sys service webd cp /config/httpd/conf/ssl.crt/server.crt.default /config/httpd/conf/ssl.crt/server.crt cp /config/httpd/conf/ssl.key/server.key.default /config/httpd/conf/ssl.key/server.key tmsh restart sys service webd IMPLEMENTATION Is your key encrypted with a password? vi bigiq.int.hosang.com.key -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-256-CBC,A6DA7F14FC68AD8C841D8F666AD8F0B7 dWmbHYvIYh2+5oJylsZW158cp6LDu3mC0kg1CUQtqJyhahCR6LInoXu44fyF38ap You see it says ENCRYPTED which if you use this key bigiq won't be able to read it and you will get a bunch of errors when you restart webd that look like this" 2022 Aug 8 16:35:39 bigiq.int.hosangit.com logger[25539]: Re-starting webd Broadcast message from systemd-journald@bigiq.int.hosangit.com (Mon 2022-08-08 16:35:40 EDT): logger[25677]: Re-starting webd If you have debug enabled on webd you'll see in /var/log/webd_errors.log Quote 2022/08/08 16:50:55 [emerg] 6022#0: cannot load certificate key "/etc/httpd/conf/ssl.key/server.key": PEM_read_bio_PrivateKey() failed (SSL: error:0906406D:PEM routines:PEM_def_callback:problems getting password error:0906A068:PEM routines:PEM_do_header:bad password read) Which the above message calls out pretty clearly the password is set on the .key still You have two choices here try and decrypt the key import the file on a test F5 and have it do the decryption for you 1. DECRYPT the KEY openssl rsa -in bigiq.int.hosang.com.key -out bigiq.int.hosang.comC.key Now check out the key vi bigiq.int.hosang.comC.key -----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEAuVoGYB18xBQmKIp91Xe1NKse2+ea0xXBDzf9hbsRm4pIhv1A You see no Encryption, just jumps right into the key which is what we want. BUILD the .crt BUNDLE Now that we have the key clean and ready to be used you have to make sure the crt includes the intermediate crts so you need to create a bundle as your .crt file cat /shared/tmp/bigiq.int.hosang.com.crt <(echo -e \\r) "/shared/tmp/hosangIT Issuing CA 01.crt" <(echo -e \\r) > /config/httpd/conf/ssl.crt/server.crt Now move over the updated cert/key and restart services mv /shared/tmp/bigiq.int.hosangit.com.crt /config/httpd/conf/ssl.crt/server.crt mv /shared/tmp/bigiq.int.hosangit.comC.key /config/httpd/conf/ssl.key/server.key tmsh restart sys service webd 2. UTILIZE F5 BIG-IP In this case I would download from venafi the PKCS #12 (which is the .pfx file) Now head over to the GUI of your F5 BIG-IP and scroll down to System - Certificate Management - Traffic Certificate Management - SSL Certificate List Click Import Select Import Type: PKCS 12 Certificate and Key Name: New Click Import Now the cert is on the F5 unencrypted Go back to System - Certificate Management - Traffic Certificate Management - SSL Certificate List and click on bigiq.int.hosangit.com Now click on Certificate tab and at the bottom click Export and you can either copy everything shown that is grayed out and paste it into a new file ending with .crt OR just click download NEXT back on the F5, click on the Key tab and click Export and you have the same options as you did with the cert Both the cert and key download without the correct file extension so go to your downloads area and make sure you add .crt at the end of the .crt and .key at the end of the key Now that you have the .crt and .key move them over and restart services mv /shared/tmp/bigiq.int.hosangit.com.crt /config/httpd/conf/ssl.crt/server.crt mv /shared/tmp/bigiq.int.hosangit.comC.key /config/httpd/conf/ssl.key/server.key tmsh restart sys service webd If errors, follow rollback as stated above. Link to comment Share on other sites More sharing options...
Recommended Posts