Replacing key/certs via iControl
I'm using key_import_from_pem() and certificate_import_from_pem() to update cert/key stored in a partition folder. I set the overwrite flag when making the call and both API calls succeed without exception.
Debug logs from F5:
Aug 23 04:32:05 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management:KeyCertificate::certificate_import_from_pem ( ) called by user "yayaya"
Aug 23 04:32:05 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: Mode: Default
Aug 23 04:32:05 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: [0] Cert: wildcard.xyzzy.com
Aug 23 04:32:05 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: -----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Aug 23 04:32:05 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: Overwrite: yes
Aug 23 04:32:05 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management:-------------------------------------
Aug 23 04:32:08 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management:+++++++++++++++++++++++++++++++++++++
Aug 23 04:32:08 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management:KeyCertificate::key_import_from_pem ( ) called by user "yayaya"
Aug 23 04:32:08 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: Mode: Default
Aug 23 04:32:08 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: [0] Key: wildcard.xyzzy.com
Aug 23 04:32:08 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: -----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
Aug 23 04:32:08 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: Overwrite: yes
Aug 23 04:32:08 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management:-------------------------------------
Everything looks good in the logs and no exception is thrown via the API.
However, the new certificate/key IS NOT what we see in the certificate_d folder for the partition.
If I turn off the overwrite function, it DOES throw an exception that it would be replacing a file. So I _know_ it should be replacing the file in that location.
Something is amiss...
What is the appropriate way for replacing cert/keys via iControl? IE. We've got expiring certs that need replacement, or the cert has been modified to include an additional item in its subject alternative name, etc.
Thanks!