# http://www.openssl.org/docs/apps/rsa.html
# Change the existing passphrase from a key, my_encrypted.key
openssl rsa -des3 -in /config/ssl/ssl.key/original_encrypted.key -out /config/ssl/ssl.key/updated_encrypted.key
- Create the client ssl profile with any accepted passphrase.
- Via the command line, edit the /config/bigip.conf file
- Identify the profile section in the file (see an example below).
- Between the following braces, you will find the encrypted passphrase.
For example:
profile clientssl NicSSL {
defaults from clientssl
key "NicCert.key"
cert "NicCert.crt"
ca file "NicCA.crt"
client cert ca "NicCA.crt"
passphrase "$M$dd$4S7mOWS//HijBz9V/7/mmA==" << passphrase
peer cert mode require
authenticate always
}
- Modify it to include your valid passphrase
profile clientssl NicSSL {
defaults from clientssl
key "NicCert.key"
cert "NicCert.crt"
ca file "NicCA.crt"
client cert ca "NicCA.crt"
passphrase "hello$$$hello"
peer cert mode require
authenticate always
}
- You can now load the configuration. You will then be able to test the ssl profile.
b load
- The password is still in cleartext in the /config/bigip.conf file. This isn't very secure. Save the config, the passphrase will be saved encrypted.
b save
- Double check the file /config/bigip.conf to make sure the passphrase is now encrypted
grep passphrase /config/bigip.conf
No comments:
Post a Comment