Forum Discussion

sandy16's avatar
sandy16
Icon for Altostratus rankAltostratus
Sep 07, 2016

Overwriting a cert and key without deleting the Client-SSL-profile

Hi, we are in a process of renewing hundreds of certificates in our enterprise. I am looking for an efficient solution here. My idea is to import the new cert and key into the existing cert/key so that all SSL-profiles get updated automatically (where ever the cert/key are being used). I tried doing this by importing and then selecting "overwrite", but it gives me an error that no matching key and vice-versa if i try overwriting a key. The only way it would overwrite them is if I delete the client-ssl-profile. Is there a way to overwrite the cert/key without deleting the client-ssl-profiles?

 

application delivery
LTM

2 Replies

Sort By
  • IainThomson85_1's avatar
    IainThomson85_1
    Icon for Cumulonimbus rankCumulonimbus
    Sep 08, 2016

    You could, but you'd need to be reasonably confident with UNix on the back end and copy the "New SSL" Cert and overwrite the old one. (Moving the existing first to a tmp folder)

     

    What I would suggest. Import your new keys/cert pairs (I know there may be a lot) - Append the name with _2016 for example. Create new SSL profiles which default from the existing profiles, but change key/cert used. Attach your new profiles to your vips.

     

    This way you're protecting yourself from a rollback perspective, you may just need to rollback services that are affected.

     

    Its a difficult one, but once you've done 1, (I suggest doing it via TMSH) the rest should flow pretty easily.

     

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Sep 08, 2016

    Hi Sandevsingh,

     

    a Virtual Server is pointing to SSL Profiles and SSL Profiles are pointing to Certs, Keys and Chains.

     

    If a cert, key and chain is renewed, then I tend to simply import the new ones (e.g. www.domain.de_2016 / www.domain.de_2016_chain). After the cert, key and chain are succesfully imported, I simply change the SSL Profiles where those certificated are attached to.

     

    So there is no need to delete/recreate a SSL_Profile and/or to touch every individual Virtual Servers where those certificates are bound to...

     

    Cheers, Kai