Hi,
Here is the process.
Background reading, http://support.f5.com/kb/en-us/solutions/public/14000/600/sol14620.html14
- Backup bigip.conf
- import new cert/key into F5 via gui named - samenamecert170414 - ie same name but with date added on end
- reconfig one iApp to use new cert/key
- edit bigip.conf search/replace samenamecert.key and samenamecert.crt to samenamecert170414.key and samenamecert170414.crt respectively, except for 6 lines as follows, 3 for key and 3 for crt
sys file ssl-cert /Common/samenamecert.crt {
cache-path /config/filestore/files_d/Common_d/certificate_d/:Common:samenamecert.crt_67272_1 ( this number will be different )
revision 1
source-path /config/ssl/ssl.crt/samenamecert.crt
sys file ssl-key /Common/samenamecert.key {
cache-path /config/filestore/files_d/Common_d/certificate_key_d/:Common:samenamecert.key_67268_1 ( this number will be different )
revision 1
source-path /config/ssl/ssl.key/samenamecert.key
-
Relaod the config
tmsh load sys config
-
Delete original "samenamecert"
- import new cert/key into F5 via gui names - samenamecert - ie the original cert name
- reconfig one iApp to use samename cert/key ie back to the original name
- edit bigip.conf search/replace samenamecert170414.key and samenamecert179414.crt to samenamecert.key and samenamecert.crt respectively, except for 6 lines as follows, 3 for key and 3 for crt
sys file ssl-cert /Common/samenamecert170414.crt {
cache-path /config/filestore/files_d/Common_d/certificate_d/:Common:samenamecert170414.crt_67272_1 ( this number will be different )
revision 1
source-path /config/ssl/ssl.crt/samenamecert170414.crt
sys file ssl-key /Common/samenamecert170414.key {
cache-path /config/filestore/files_d/Common_d/certificate_key_d/:Common:samenamecert170414.key_67268_1 ( this number will be different )
revision 1
source-path /config/ssl/ssl.key/samenamecert170414.key
- tmsh load sys config
- delete the samenamecert170414 cert/key
- Check the cert has the correct serial number. IMPORTANT!
System ›› File Management : SSL Certificate List ›› samenamecert
- Check via a browser that you are getting the correct certificate served, taking a stastically valid sample of your affected domains/applications
- Job done.
Pretty simple really. All due to a certificate change. This should really be so much easier.
NB. Currently I have only done this on the standby node. I am awating permission to failover and do a replication. Will update as soon as...