Jump to content

How to upgrade cert on BIG-IQ CM


i-SupportU
 Share

Recommended Posts

I can tell you how I do it even though it may not be the proper way but it works.  So we also use venafi and when we download a cert from venafi we need to add a password to the file which encrypts it so you can't just upload it to bigiq like the article says (K52425065) so I "cheat" by export the cert via PKCS#12 (pfx file) and then import the pfx file on a lab F5 box using the password which then decrypts the crt and key.

Example try this

FIRST (VERY IMPORTANT) backup what you have now

cp /config/httpd/conf/ssl.crt/server.crt.default /config/httpd/conf/ssl.crt/server.crt
cp /config/httpd/conf/ssl.key/server.key.default /config/httpd/conf/ssl.key/server.key

ROLLBACK only if issues

tmsh stop sys service webd

cp /config/httpd/conf/ssl.crt/server.crt.default /config/httpd/conf/ssl.crt/server.crt
cp /config/httpd/conf/ssl.key/server.key.default /config/httpd/conf/ssl.key/server.key

tmsh restart sys service webd

IMPLEMENTATION

Is your key encrypted with a password?

vi bigiq.int.hosang.com.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,A6DA7F14FC68AD8C841D8F666AD8F0B7

dWmbHYvIYh2+5oJylsZW158cp6LDu3mC0kg1CUQtqJyhahCR6LInoXu44fyF38ap

You see it says ENCRYPTED which if you use this key bigiq won't be able to read it and you will get a bunch of errors when you restart webd that look like this"

2022 Aug  8 16:35:39 bigiq.int.hosangit.com logger[25539]: Re-starting webd

Broadcast message from systemd-journald@bigiq.int.hosangit.com (Mon 2022-08-08 16:35:40 EDT):

logger[25677]: Re-starting webd

If you have debug enabled on webd you'll see in /var/log/webd_errors.log

Quote

2022/08/08 16:50:55 [emerg] 6022#0: cannot load certificate key "/etc/httpd/conf/ssl.key/server.key": PEM_read_bio_PrivateKey() failed (SSL: error:0906406D:PEM routines:PEM_def_callback:problems getting password error:0906A068:PEM routines:PEM_do_header:bad password read)

Which the above message calls out pretty clearly the password is set on the .key still

 

You have two choices here

  1. try and decrypt the key
  2. import the file on a test F5 and have it do the decryption for you

1. DECRYPT the KEY

openssl rsa -in bigiq.int.hosang.com.key -out bigiq.int.hosang.comC.key

Now check out the key

vi bigiq.int.hosang.comC.key
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAuVoGYB18xBQmKIp91Xe1NKse2+ea0xXBDzf9hbsRm4pIhv1A

You see no Encryption, just jumps right into the key which is what we want.

BUILD the .crt BUNDLE

Now that we have the key clean and ready to be used you have to make sure the crt includes the intermediate crts so you need to create a bundle as your .crt file

cat /shared/tmp/bigiq.int.hosang.com.crt <(echo -e \\r) "/shared/tmp/hosangIT Issuing CA 01.crt" <(echo -e \\r) > /config/httpd/conf/ssl.crt/server.crt

Now move over the updated cert/key and restart services

mv /shared/tmp/bigiq.int.hosangit.com.crt /config/httpd/conf/ssl.crt/server.crt
mv /shared/tmp/bigiq.int.hosangit.comC.key /config/httpd/conf/ssl.key/server.key

tmsh restart sys service webd

 

2. UTILIZE F5 BIG-IP

In this case I would download from venafi the PKCS #12 (which is the .pfx file)

venafi_download.png

Now head over to the GUI of your F5 BIG-IP and scroll down to System - Certificate Management - Traffic Certificate Management - SSL Certificate List

Click Import

Select Import Type: PKCS 12

Certificate and Key Name: New

import_cert_f5.png

Click Import

Now the cert is on the F5 unencrypted

Go back to System - Certificate Management - Traffic Certificate Management - SSL Certificate List and click on bigiq.int.hosangit.com

Now click on Certificate tab and at the bottom click Export and you can either copy everything shown that is grayed out and paste it into a new file ending with .crt OR just click download

NEXT back on the F5, click on the Key tab and click Export and you have the same options as you did with the cert

Both the cert and key download without the correct file extension so go to your downloads area and make sure you add .crt at the end of the .crt and .key at the end of the key

Now that you have the .crt and .key move them over and restart services

mv /shared/tmp/bigiq.int.hosangit.com.crt /config/httpd/conf/ssl.crt/server.crt
mv /shared/tmp/bigiq.int.hosangit.comC.key /config/httpd/conf/ssl.key/server.key

tmsh restart sys service webd

If errors, follow rollback as stated above.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...