18
Jun
09

SSL Certificates exported from IIS… where were we?

Today’s Issue:

Export existing SSL certificate from Windows 2008 (IIS 7) and private key to a password-protected PFX file, and import for SSL Offloading use on BIGIP LTM6400 9.3.1

Where We Are:

We’re essentially back at square one here.  Upgrading to version10.0.1 did nothing to resolve the IMPORT FAILED: CERTIFICATE/KEY MISMATCH error when I tired to import several different ways.  Need to know THE way to do this correctly.

How We Got Here:

To recap:

If I export the cert from IIS, the only option I have is to export as password-protected .PFX. When I import certificate (Local Traffic >> SSL Certificates >> Import SSL Certificates and Keys), I get:

IMPORT FAILED: CERTIFICATE/KEY MISMATCH

If I export from MMC>Certificates, including the private key, again the only option I have is to export as password-protected .PFX. Same results when I import certificate (Local Traffic >> SSL Certificates >> Import SSL Certificates and Keys), I get:

IMPORT FAILED: CERTIFICATE/KEY MISMATCH

If I export from MMC>Certificates, this time NOT including the private key, and export as .CER. Same results when I import certificate (Local Traffic >> SSL Certificates >> Import SSL Certificates and Keys), I get:

IMPORT FAILED: CERTIFICATE/KEY MISMATCH

I’ve confirmed that the name on the cert matches what I’ve entered for “Certificate Name” on the import screen, and neither time have I been prompted to supply the password.

I was told by support that I needed to upgrade to get the password-protected file to work, so we went to 10.0.1 on a test system running the same config as production…now I get:

If I export from MMC>Certificates, including the private key, again the only option I have is to export as password-protected .PFX. Same results when I import certificate (Local Traffic >> SSL Certificates >> Import SSL Certificates and Keys), I get:

IMPORT FAILED: CERTIFICATE/KEY MISMATCH

If I export from MMC>Certificates, this time NOT including the private key, and export as .CER. This time it imports successfully, but still doesn’t prompt me for a password.

So I attended a Technical Workshop sponsored by the F5 User Group in my area on Tuesday, and although many of the nuances discussed about new features of 10.0.1 were already described in previous posts (will get up some of my notes soon), the one thing I really came away with, was to make sure to enlist the help of DevCentral when problems arise.

Aside:  So I’m sure at this point that all of you, like me, have used plenty of support forums in your days, vendor-supplied or otherwise.  I dutifully joined up on DevCentral, but hadn’t really considered it for much more than another outlet, and admittedly had no idea how much traffic they saw, or the quality of info presented there… Boy was I happily surprised!  Literally in no less than two (yes 2) minutes after my original post, I had not one, but two (yes 2) answers to my question!!  One from another home-grown site, another from the vendor’s SOlutions archives itself.  Maybe their support guys need to lurk over on the forums a little more, but I digress.  I’m sure I;ll be looking over there a lot in the days to come.

So here’s the scoop:

RE: SSL Certificate Import by johns
Go to tech.f5.com and look up solution 6549. I think that will do what you need.

And off I went… johns, you rock.

For those who don’t want to read that far, or to register for an account (different from your DevCentral account), here ’tis:

1 – Copy the .pfx PKCS12 file to the BIG-IP /var/tmp directory (My weapon of choice here is WinSCP)

2 – Run this command (I did this logged in as root)
openssl pkcs12 -in <PKCSfile> -out <filename>.pem -nodes

A single PEM-encoded file is created.

Note: The -nodes switch means the password on the key will be discarded and will not be required when importing the file to the Big-IP system. To maintain the password on the BIG-IP system, do not use the -nodes switch. You will be required to supply the password when importing the key to the BIG-IP system.

3 – Copy the PEM-encoded file from the BIG-IP system to your local workstation (again, WinSCP)

4 – Using a text editor, divide the new PEM-encoded file into separate certificate and private key files by performing the following procedure:

Cut the text beginning with —–BEGIN CERTIFICATE—– and ending with —–END CERTIFICATE—–, making sure to include the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– statements and the accompanying dashes “—–“.

Save the certificate text as a new text file with a .crt extension. For example, mynewcert.crt.

Cut the text beginning with —–BEGIN RSA PRIVATE KEY—– and ending with —–END RSA PRIVATE KEY—–, making sure to include the —–BEGIN RSA PRIVATE KEY—– and —–END RSA PRIVATE KEY—– statements and the accompanying dashes “—–“.

Save the key text as a new text file with a .key extension. For example, mynewkey.key.

Seriously… that’s it.

Now you are left with 2 files, a .CRT and a .KEY.  Browse to the F5 GUI and head over to Local Traffic >> SSL Certificates >> Import SSL Certificates and Keys, and pick the right one for the right one, and off you go.

Advertisements

4 Responses to “SSL Certificates exported from IIS… where were we?”


  1. 1 VitaRedux
    December 22, 2009 at 5:17 am

    I can’t admit how many times I’ve come back here for this info. Thanks.

  2. August 19, 2010 at 8:50 pm

    Works wonderful! Thanks for your nice work!,Aug 20, 2010 8:50:11 AM


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: