Some web servers, most notably Microsoft Internet Information Server (IIS), use SSL certificates in PKCS format. The BIG-IP system can use only SSL certificates that are stored in PEM format.
Important: Starting in BIG-IP 10.1.0, it is no longer necessary to convert PKCS#12 files to PEM format; in BIG-IP 10.1.0 and later, you can import PKCS#12 files directly using the Configuration utility. To do so, select PKCS 12 (IIS)from the Import Type menu when importing the certificate or key. The BIG-IP system automatically converts thePKCS#12 file to PEM format. Additionally, starting in BIG-IP 11.0.0, you can also import PKCS#12 files directly using the tmsh utility. For command syntax and examples, refer to the Traffic Management Shell (tmsh) Reference Guide. You must still manually convert PKCS#7 files to the PEM format prior to importing them to the BIG-IP system.
Depending on your web server software, you may first need to export the certificate and key in PKCS format. The PKCS file will have a .pfx extension and contain both the certificate and the private key. A certificate chain will have a .p7bextension.
Note: For more information about configuring your BIG-IP system to use SSL certificates and keys, refer to SOL10167: Overview of the Client SSL profile and SOL11220: Overview of the Server SSL profile.
Converting and importing PKCS12 files
To convert the PKCS12 file to a PEM formatted file, and import the certificate and private key files to the BIG-IP system, perform the following two procedures:
- Converting the PKCS12 (Certificate and Key) file to a PEM formatted file
- Importing the certificate and private key files to the BIG-IP system
Converting the PKCS12 (Certificate and Key) file to a PEM formatted file
- Copy the .pfx PKCS12 file to the /var/tmp directory on the BIG-IP system.Note: For more information, refer to SOL175: Transferring files to or from an F5 system.
- Convert the PKCS12 file into a PEM file by typing the following command:openssl pkcs12 -in <PKCSfile> -out <filename>.pem -nodes
Note: If you use the -nodes switch, the system will discard the password on the key and the password will not be required when importing the file to the BIG-IP system. To maintain the password on the BIG-IP system, do not use the -nodes switch. You will then be required to supply the password when importing the key to the BIG-IP system.
A single PEM-encoded file is created.
- Copy the PEM-encoded file from the BIG-IP system to your local workstation.
- Using a text editor, divide the new PEM-encoded file into separate certificate and private key files by performing the following procedure:
- Cut the text beginning with BEGIN CERTIFICATE and ending with END CERTIFICATE, making sure to include the BEGIN CERTIFICATE and END CERTIFICATE statements.
- Save the certificate text as a new text file with a .crt extension. For example, mynewcert.crt.
- Cut the text beginning with BEGIN RSA PRIVATE KEY and ending with END RSA PRIVATE KEY, making sure to include the BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY statements.
- Save the key text as a new text file with a .key extension.
For example:mynewkey.key
Importing the certificate and private key files to the BIG-IP system
- Log in to the BIG-IP Configuration utility.
- For 9.x to 10.x, navigate to Local Traffic > SSL Certificates.
For 11.x, navigate to System > File Management, and click SSL Certificate List. - Click Import.
- Select Certificate from the Import Type menu.
- Type the desired name in the Certificate Name field.
- Click Browse.
- Navigate to select the certificate file copied to the workstation in the previous procedure.
- Click Import.
- Select Key from the Import Type menu.
- Type the desired name in the Key Name field.Note: To pair the private key with the certificate, use the same name you used for the certificate in Step 7.
- Click Browse.
- Navigate to select the private key file that you copied to the workstation in the previous procedure.
- Click Import.
- Click the newly-imported certificate and private key pair to view the certificate and key properties.
You now have imported PEM-formatted certificate files and private key files that you can use with BIG-IP Client SSL profiles.
Converting and importing PKCS#7 files
To convert a PKCS#7 file to a PEM formatted file, and import the certificate chain file to the BIG-IP system, perform the following two procedures:
- Converting a PKCS#7 (certificate chain) file to a PEM formatted file
- Importing the certificate chain file to the BIG-IP system
Converting a PKCS#7 (certificate chain) file to a PEM formatted file
- Copy the .p7b PKCS file to the /var/tmp directory.
- Convert the PKCS#7 file into a PEM file by typing the following command:openssl pkcs7 -in <PKCSfile>.p7b -text -out <filename>.pem -print_certs
- Copy the PEM-encoded file from the BIG-IP system to your local workstation.
Importing the certificate chain file to the BIG-IP system
- Log in to the BIG-IP Configuration utility.
- For 9.x to 10.x, navigate to Local Traffic > SSL Certificates.
For 11.x, navigate to System > File Management, and click SSL Certificate List. - Click Import.
- Select Certificate from the Import Type menu.
- Type the desired name in the Certificate Name field.
- Click Browse.
- Navigate to select the certificate file that you copied to the workstation in the previous procedure.
- Click Import.
You now have imported the PEM-formatted certificate chain file that you can use with BIG-IP Client SSL profiles.
Troubleshooting PKCS to PEM conversion errors
When converting SSL certificates from the PKCS to PEM format, incorrect formatting may cause the openssl conversion command to fail with errors that appear similar to the following:
20128:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:642:Expecting: PKCS7
20301:error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:741:
These errors have been observed when the certificate header and footer contain formatting errors that appear similar to the following examples:
Incorrect:
—–BEGIN PKCS #7 SIGNED DATA—–
[Certificate Data]
—–END PKCS #7 SIGNED DATA—–
Incorrect:
—–BEGIN PKCS7—–
[Certificate Data]
—–END PKCS7—-
Note: In this example, the footer is missing a final hyphen ( – ) character.
To successfully convert the certificates to PEM format, use a text editor and edit the file to ensure that the header and footer match either of the following examples:
Correct:
—–BEGIN PKCS7—–
[Certificate Data]
—–END PKCS7—–
Correct:
—–BEGIN CERTIFICATE—–
[Certificate Data]
—–END CERTIFICATE—–
Once the header and footer have been corrected, proceed with the conversion as detailed in the previous steps.