Forum Discussion

JD_Tomzak's avatar
JD_Tomzak
Icon for Cirrus rankCirrus
May 23, 2024
Solved

SSL cert bundle - how to extract the intermediate?

We have a new cert provider and instead of sending me a zip file with the cert and intermediate, they sent the cert and a bundle. Any idea how to extract the intermediate cert text from that bundle so I can import into the F5 and use with an SSL profile?

Thanks!

  • first you need to know if it is PKCS#7 or PKCS#12

     

    try opening the cert bundle file in Notepad++, just for checking if it works, else the above method using open SSL is 

    This is the easiest way I have tried hundreds of times

     

    There you can see different section

    ------------BEGIN CERTIFICATE------------

    ------------END CERTIFICATE------------

     

    This way you can save them in different files with different names and see, just double click in windows so that you can see which is certificate which is intermediate certificate.

     

    if it includes key as well then you will see section

     

    ------------BEGIN KEY------------

    ------------END KEY------------

     

    When you open the bundle in Notepad++ it may look like this

     

     

    subject=CN = Test.ABC.com, C = US, ST = Virginia, L = Falls Church, OU = MYIT, O = ABC.TEST

    issuer=C = US, O = TEST Company, OU = Security, CN = TEST IT Issuing CA


    -----BEGIN CERTIFICATE-----
    GARBLED VALUES AS its a DUMMy not to be used 
    ajd;lasd;lksa;ldhvcNAQELBQADggEBADMqDa9wjW3KwLgN0WOkYMIzhml1TiE
    hf3CXaJGBfEZByStLTXPa6VY/QaBnW/LAUTB+VIzBBZzIxWb/ttD2IqpNfB
    DomRE8zG0MHkoZAsXZPDjXMW2I8Ef+KRE6nXe692FLhdx/cds1/RK3iEQDZbHD3x
    zOYELaBfHjJUZolLWOtf0UPbOn6JLKNcHEQD86mUEJdd59z+QB/DG+ZLdOPQ3epx
    GARBLED VALUES AS its a DUMMy not to be used 
    GARBLED VALUES AS its a DUMMy not to be used 
    ajd;lasd;lksa;ldhvcNAQELBQADggEBADMqDa9wjW3KwLgN0WOkYMIzhml1TiE
    hf3CXaJGBfEZByStLTXPa6VY/QaBnW/LAUTB+VIzBBZzIxWb/ttD2IqpNfB
    DomRE8zG0MHkoZAsXZPDjXMW2I8Ef+KRE6nXe692FLhdx/cds1/RK3iEQDZbHD3x
    zOYELaBfHjJUZolLWOtf0UPbOn6JLKNcHEQD86mUEJdd59z+QB/DG+ZLdOPQ3epx
    GARBLED VALUES AS its a DUMMy not to be used 
    GARBLED VALUES AS its a DUMMy not to be used 
    -----END CERTIFICATE-----

    subject=CN = Test.ABC.com, C = US, ST = Virginia, L = Falls Church, OU = MYIT, O = TEST ROT CA ABC.TEST

    issuer=C = US, O = TEST Company, OU = Security, CN = TEST IT  Intermediate CA

    -----BEGIN CERTIFICATE-----
    GARBLED VALUES AS its a DUMMy not to be used 
    ajd;lasd;lksa;ldhvcNAQELBQADggEBADMqDa9wjW3KwLgN0WOkYMIzhml1TiE
    hf3CXaJGBfEZByStLTXPa6VY/QaBnW/LAUTB+VIzBBZzIxWb/ttD2IqpNfB
    DomRE8zG0MHkoZAsXZPDjXMW2I8Ef+KRE6nXe692FLhdx/cds1/RK3iEQDZbHD3x
    zOYELaBfHjJUZolLWOtf0UPbOn6JLKNcHEQD86mUEJdd59z+QB/DG+ZLdOPQ3epx
    GARBLED VALUES AS its a DUMMy not to be used 
    GARBLED VALUES AS its a DUMMy not to be used 
    ajd;lasd;lksa;ldhvcNAQELBQADggEBADMqDa9wjW3KwLgN0WOkYMIzhml1TiE
    hf3CXaJGBfEZByStLTXPa6VY/QaBnW/LAUTB+VIzBBZzIxWb/ttD2IqpNfB
    DomRE8zG0MHkoZAsXZPDjXMW2I8Ef+KRE6nXe692FLhdx/cds1/RK3iEQDZbHD3x
    zOYELaBfHjJUZolLWOtf0UPbOn6JLKNcHEQD86mUEJdd59z+QB/DG+ZLdOPQ3epx
    GARBLED VALUES AS its a DUMMy not to be used 
    GARBLED VALUES AS its a DUMMy not to be used 
    -----END CERTIFICATE-----

    subject=C = US, O = IT Technology Company, OU = Security, CN = TEST Intermediate CA ABC.TEST

    issuer=C = US, O = TEST Company, OU = Security, CN = TEST IT  Root CA

    -----BEGIN CERTIFICATE-----
    GARBLED VALUES AS its a DUMMy not to be used 
    ajd;lasd;lksa;ldhvcNAQELBQADggEBADMqDa9wjW3KwLgN0WOkYMIzhml1TiE
    hf3CXaJGBfEZByStLTXPa6VY/QaBnW/LAUTB+VIzBBZzIxWb/ttD2IqpNfB
    DomRE8zG0MHkoZAsXZPDjXMW2I8Ef+KRE6nXe692FLhdx/cds1/RK3iEQDZbHD3x
    zOYELaBfHjJUZolLWOtf0UPbOn6JLKNcHEQD86mUEJdd59z+QB/DG+ZLdOPQ3epx
    GARBLED VALUES AS its a DUMMy not to be used 
    GARBLED VALUES AS its a DUMMy not to be used 
    ajd;lasd;lksa;ldhvcNAQELBQADggEBADMqDa9wjW3KwLgN0WOkYMIzhml1TiE
    hf3CXaJGBfEZByStLTXPa6VY/QaBnW/LAUTB+VIzBBZzIxWb/ttD2IqpNfB
    DomRE8zG0MHkoZAsXZPDjXMW2I8Ef+KRE6nXe692FLhdx/cds1/RK3iEQDZbHD3x
    zOYELaBfHjJUZolLWOtf0UPbOn6JLKNcHEQD86mUEJdd59z+QB/DG+ZLdOPQ3epx
    GARBLED VALUES AS its a DUMMy not to be used 
    GARBLED VALUES AS its a DUMMy not to be used 
    -----END CERTIFICATE-----

     

    The easy way to IMPORT CERTIFICATE and Keys in GUI is to go and select Paste Text and paste the certificate plain text into the text box.

     

    For importing certificate available in a notepad text file give a name of the certificate, don't use any extension or .crt name in the end else it will be shown 2 time in cli, after creation, so just use name and no extension or .crt

    Paste any of the certificates in the Certificate Source are marked in Number 8 in blue circle below. and Import

     

    Same do for key and in name no .key extension

     

     

    Impact of procedure: Performing the following procedures should not have a negative impact on your system.

    1. Log in to the Configuration utility.
    2. Go to the SSL Certificate List page:
      • For BIG-IP 13.x and later, go to System Certificate Management > Traffic Certificate Management > SSL Certificate List
      • For BIG-IP 12.x and earlier, go to System File Management SSL Certificate List.
    3. Select Import.
    4. In the Import Type list, select Certificate.
    5. For Certificate Name, select Create New and enter a unique name for the certificate, or select Overwrite Existing to overwrite an existing certificate, and in the list, select the certificate file that you want to overwrite.
    6. For Certificate Source, select Upload File and select Choose File to browse to the file location, or select Paste Text and paste the certificate plain text into the text box.
    7. Select Import.
    8. You can now associate the SSL certificate with the appropriate SSL profile.

    Import an SSL private key

    You can use the following procedure to import an existing SSL private key.

    Impact of procedure: Performing the following procedures should not have a negative impact on your system.

    1. Log in to the Configuration utility.
    2. Go to the SSL Certificate List page:
      • For BIG-IP 13.x and later, go to System Certificate Management > Traffic Certificate Management > SSL Certificate List
      • For BIG-IP 12.x and earlier, go to System File Management SSL Certificate List.
    3. Select Import.
    4. In the Import Type list, select Key.
    5. For Key Name, select Create New and enter a unique name for the key, or select Overwrite Existing to overwrite an existing key, and in the list, select the key file that you want to overwrite.Note: When you provide the same name for the key and the certificate, the system associates them for you and they appear in the same row in the Configuration utility.
    6. Note: The certificate and key must match. The system reports an error when you associate a non-matching certificate and key in the ClientSSL or ServerSSL profiles. For more information, refer to K61555083: Renewed certificate fails to import, with error "key and certificate do not match".
    7. For Key Source, select Upload File and select Choose File to browse to the file location, or select Paste Text and paste the key plain text into the text box.
    8. If you want to set a password for the key, in the Security Type list, select Password and enter a password in the Password box.
    9. Select Import.

    Manage SSL certificates for BIG-IP systems using the Configuration utility (f5.com)

     

    Please rate if it helps, and mark as solution.

     

    🙏

     

4 Replies

  • first you need to know if it is PKCS#7 or PKCS#12

     

    try opening the cert bundle file in Notepad++, just for checking if it works, else the above method using open SSL is 

    This is the easiest way I have tried hundreds of times

     

    There you can see different section

    ------------BEGIN CERTIFICATE------------

    ------------END CERTIFICATE------------

     

    This way you can save them in different files with different names and see, just double click in windows so that you can see which is certificate which is intermediate certificate.

     

    if it includes key as well then you will see section

     

    ------------BEGIN KEY------------

    ------------END KEY------------

     

    When you open the bundle in Notepad++ it may look like this

     

     

    subject=CN = Test.ABC.com, C = US, ST = Virginia, L = Falls Church, OU = MYIT, O = ABC.TEST

    issuer=C = US, O = TEST Company, OU = Security, CN = TEST IT Issuing CA


    -----BEGIN CERTIFICATE-----
    GARBLED VALUES AS its a DUMMy not to be used 
    ajd;lasd;lksa;ldhvcNAQELBQADggEBADMqDa9wjW3KwLgN0WOkYMIzhml1TiE
    hf3CXaJGBfEZByStLTXPa6VY/QaBnW/LAUTB+VIzBBZzIxWb/ttD2IqpNfB
    DomRE8zG0MHkoZAsXZPDjXMW2I8Ef+KRE6nXe692FLhdx/cds1/RK3iEQDZbHD3x
    zOYELaBfHjJUZolLWOtf0UPbOn6JLKNcHEQD86mUEJdd59z+QB/DG+ZLdOPQ3epx
    GARBLED VALUES AS its a DUMMy not to be used 
    GARBLED VALUES AS its a DUMMy not to be used 
    ajd;lasd;lksa;ldhvcNAQELBQADggEBADMqDa9wjW3KwLgN0WOkYMIzhml1TiE
    hf3CXaJGBfEZByStLTXPa6VY/QaBnW/LAUTB+VIzBBZzIxWb/ttD2IqpNfB
    DomRE8zG0MHkoZAsXZPDjXMW2I8Ef+KRE6nXe692FLhdx/cds1/RK3iEQDZbHD3x
    zOYELaBfHjJUZolLWOtf0UPbOn6JLKNcHEQD86mUEJdd59z+QB/DG+ZLdOPQ3epx
    GARBLED VALUES AS its a DUMMy not to be used 
    GARBLED VALUES AS its a DUMMy not to be used 
    -----END CERTIFICATE-----

    subject=CN = Test.ABC.com, C = US, ST = Virginia, L = Falls Church, OU = MYIT, O = TEST ROT CA ABC.TEST

    issuer=C = US, O = TEST Company, OU = Security, CN = TEST IT  Intermediate CA

    -----BEGIN CERTIFICATE-----
    GARBLED VALUES AS its a DUMMy not to be used 
    ajd;lasd;lksa;ldhvcNAQELBQADggEBADMqDa9wjW3KwLgN0WOkYMIzhml1TiE
    hf3CXaJGBfEZByStLTXPa6VY/QaBnW/LAUTB+VIzBBZzIxWb/ttD2IqpNfB
    DomRE8zG0MHkoZAsXZPDjXMW2I8Ef+KRE6nXe692FLhdx/cds1/RK3iEQDZbHD3x
    zOYELaBfHjJUZolLWOtf0UPbOn6JLKNcHEQD86mUEJdd59z+QB/DG+ZLdOPQ3epx
    GARBLED VALUES AS its a DUMMy not to be used 
    GARBLED VALUES AS its a DUMMy not to be used 
    ajd;lasd;lksa;ldhvcNAQELBQADggEBADMqDa9wjW3KwLgN0WOkYMIzhml1TiE
    hf3CXaJGBfEZByStLTXPa6VY/QaBnW/LAUTB+VIzBBZzIxWb/ttD2IqpNfB
    DomRE8zG0MHkoZAsXZPDjXMW2I8Ef+KRE6nXe692FLhdx/cds1/RK3iEQDZbHD3x
    zOYELaBfHjJUZolLWOtf0UPbOn6JLKNcHEQD86mUEJdd59z+QB/DG+ZLdOPQ3epx
    GARBLED VALUES AS its a DUMMy not to be used 
    GARBLED VALUES AS its a DUMMy not to be used 
    -----END CERTIFICATE-----

    subject=C = US, O = IT Technology Company, OU = Security, CN = TEST Intermediate CA ABC.TEST

    issuer=C = US, O = TEST Company, OU = Security, CN = TEST IT  Root CA

    -----BEGIN CERTIFICATE-----
    GARBLED VALUES AS its a DUMMy not to be used 
    ajd;lasd;lksa;ldhvcNAQELBQADggEBADMqDa9wjW3KwLgN0WOkYMIzhml1TiE
    hf3CXaJGBfEZByStLTXPa6VY/QaBnW/LAUTB+VIzBBZzIxWb/ttD2IqpNfB
    DomRE8zG0MHkoZAsXZPDjXMW2I8Ef+KRE6nXe692FLhdx/cds1/RK3iEQDZbHD3x
    zOYELaBfHjJUZolLWOtf0UPbOn6JLKNcHEQD86mUEJdd59z+QB/DG+ZLdOPQ3epx
    GARBLED VALUES AS its a DUMMy not to be used 
    GARBLED VALUES AS its a DUMMy not to be used 
    ajd;lasd;lksa;ldhvcNAQELBQADggEBADMqDa9wjW3KwLgN0WOkYMIzhml1TiE
    hf3CXaJGBfEZByStLTXPa6VY/QaBnW/LAUTB+VIzBBZzIxWb/ttD2IqpNfB
    DomRE8zG0MHkoZAsXZPDjXMW2I8Ef+KRE6nXe692FLhdx/cds1/RK3iEQDZbHD3x
    zOYELaBfHjJUZolLWOtf0UPbOn6JLKNcHEQD86mUEJdd59z+QB/DG+ZLdOPQ3epx
    GARBLED VALUES AS its a DUMMy not to be used 
    GARBLED VALUES AS its a DUMMy not to be used 
    -----END CERTIFICATE-----

     

    The easy way to IMPORT CERTIFICATE and Keys in GUI is to go and select Paste Text and paste the certificate plain text into the text box.

     

    For importing certificate available in a notepad text file give a name of the certificate, don't use any extension or .crt name in the end else it will be shown 2 time in cli, after creation, so just use name and no extension or .crt

    Paste any of the certificates in the Certificate Source are marked in Number 8 in blue circle below. and Import

     

    Same do for key and in name no .key extension

     

     

    Impact of procedure: Performing the following procedures should not have a negative impact on your system.

    1. Log in to the Configuration utility.
    2. Go to the SSL Certificate List page:
      • For BIG-IP 13.x and later, go to System Certificate Management > Traffic Certificate Management > SSL Certificate List
      • For BIG-IP 12.x and earlier, go to System File Management SSL Certificate List.
    3. Select Import.
    4. In the Import Type list, select Certificate.
    5. For Certificate Name, select Create New and enter a unique name for the certificate, or select Overwrite Existing to overwrite an existing certificate, and in the list, select the certificate file that you want to overwrite.
    6. For Certificate Source, select Upload File and select Choose File to browse to the file location, or select Paste Text and paste the certificate plain text into the text box.
    7. Select Import.
    8. You can now associate the SSL certificate with the appropriate SSL profile.

    Import an SSL private key

    You can use the following procedure to import an existing SSL private key.

    Impact of procedure: Performing the following procedures should not have a negative impact on your system.

    1. Log in to the Configuration utility.
    2. Go to the SSL Certificate List page:
      • For BIG-IP 13.x and later, go to System Certificate Management > Traffic Certificate Management > SSL Certificate List
      • For BIG-IP 12.x and earlier, go to System File Management SSL Certificate List.
    3. Select Import.
    4. In the Import Type list, select Key.
    5. For Key Name, select Create New and enter a unique name for the key, or select Overwrite Existing to overwrite an existing key, and in the list, select the key file that you want to overwrite.Note: When you provide the same name for the key and the certificate, the system associates them for you and they appear in the same row in the Configuration utility.
    6. Note: The certificate and key must match. The system reports an error when you associate a non-matching certificate and key in the ClientSSL or ServerSSL profiles. For more information, refer to K61555083: Renewed certificate fails to import, with error "key and certificate do not match".
    7. For Key Source, select Upload File and select Choose File to browse to the file location, or select Paste Text and paste the key plain text into the text box.
    8. If you want to set a password for the key, in the Security Type list, select Password and enter a password in the Password box.
    9. Select Import.

    Manage SSL certificates for BIG-IP systems using the Configuration utility (f5.com)

     

    Please rate if it helps, and mark as solution.

     

    🙏

     

  • Looks like I already solved this...openssl command needed to be modified. (drop the noout part)

  • openssl crl2pkcs7 -nocrl -certfile xxxxxxx.ca-bundle | openssl pkcs7 -print_certs -text