How to export SSL certificates from a LoadMaster Certificate Backup

To back up certificates and keys, follow the steps below in the LoadMaster Web User Interface (WUI):

  1. Go to Certificates > Backup/Restore Certs.
  2. In the Certificate Backup section, enter the desired Passphrase twice. This passphrase will be needed when restoring the backup.
  3. After the file is downloaded, rename it to certbackup.gz.
  4. Once you have the .gz file, you can either unzip it from the command line using gzip -d or using a tool such as 7zip.
  5. Rename the resulting file certbackup.aes.
  6. Download and install OpenSSL from the web.
  7. In OpenSSL, enter:
    openssl enc -in certbackup.aes -out certbackup.tar -d -aes256 -md md5 -k passphrase
    Where passphrase is the passphrase you entered when exporting the backup from the LoadMaster.
  8. Untar the resulting file (certbackup.tar).
    The resulting folder will contain your certificates.

 

Note: These files are in standard x.509 certificate format. You can use this certificate and key to import into IIS or any other web server which accepts standard x.509 certificates.

Was this article helpful?

2 out of 5 found this helpful

Comments

Avatar
emak

Hi

Openssl has changed the default message digest from MD5 (openssl-1.0) to SHA256 (openssl-1.1). As with KEMP 7.2.42 the digest is not yet adapted and you have to use following command in order to be able to decrypt the file:
openssl enc -in certbackup.aes -out certbackup.tar -d -aes256 -md md5 -k passphrase

Avatar
Cloud Engineering

thank you @emak! Kemp needs to update this kb!

Avatar
jkuter

I can't get this to work on Ubuntu 20.04:
openssl enc -d -aes256 -md md5 -in CertBackup_2020_08_05.00.57 > cer.tar
enter aes-256-cbc decryption password:
bad magic number

Avatar
Nick Smylie

Hi @jkuter

I tried both ways the original command...
openssl enc -in CertBackup.aes -out certbackup2.tar -d -aes256 -md md5 -k password

Also tried it with yours...
openssl enc -d -aes256 -md md5 -in CertBackup.aes > cer.tar

And both worked. I noticed though you did not rename your file and maybe also did not unzip it before trying the command, can you try that and then try again please?

Avatar
jkuter

I tried the documented way as well, same error no matter what passphrase I use. What version of Kemp and what OS are you using? I will try downloading it in windows and running it in WSL and see if it makes a difference.

Avatar
Nick Smylie

Hi,

The LM version is .48.1 and Ubuntu is 20.04.1 LTS. You did unzip before hand correct? Are you using any special characters in your passphrase?

Avatar
jkuter

7.2.48.1.17992.RELEASE.20191108-2115 No matter what I try even with password 123456 I get magic number error. Just received the same error in Windows WSL (Ubuntu). I will try another Kemp box and see if I can reproduce there. I am backing up from the cert backup and restore screen in the WUI.

Avatar
jkuter

jkuter@ah-jkuter2:/mnt/c/Users/jkuter/Downloads$ mv CertBackup_2020_08_05.15.57 certbackup.gz
jkuter@ah-jkuter2:/mnt/c/Users/jkuter/Downloads$ gzip -d certbackup.gz
jkuter@ah-jkuter2:/mnt/c/Users/jkuter/Downloads$ mv certbackup certbackup.gz
jkuter@ah-jkuter2:/mnt/c/Users/jkuter/Downloads$ mv certbackup.gz certbackup.aes
jkuter@ah-jkuter2:/mnt/c/Users/jkuter/Downloads$ openssl enc -in certbackup.aes -out certbackup.tar -d -aes256 -md md5 -k 123456
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
jkuter@ah-jkuter2:/mnt/c/Users/jkuter/Downloads$ tar xfvz certbackup.tar
gzip: stdin: not in gzip format
tar: Child returned status 1
tar: Error is not recoverable: exiting now

Is it the Kemp version? Do I need to upgrade? Just tried on an Azure kemp and an onprem kemp and received the same error.

Avatar
Nick Smylie

Hi,

So I also get the..

*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.

error but in the end I do get a .tar file which has my certs in it. I just use winscp to move to my desktop and unzip it there. Another thing to note is that you unzip using gzip -d just to change the file name again to .gz this step is not needed and could be causing you problem when you try to tar it after running the openSSL command.

I tried on the same version as yours and a newer version, both work fine

Avatar
jkuter

gzip -d is step 4 of the instructions, I also thought it wasn't useful which is why I was using the other command (which you said works for you). I gave up on this (probably an issue with the minor version we are using), thanks for the help, we don't really need this functionality, it was just something we were trying out.