Forum Discussion

elastic_82555's avatar
elastic_82555
Icon for Nimbostratus rankNimbostratus
Apr 16, 2014

Cannot Renew Certifcate and private key ( but keep the same name in F5 config )

Hi, Am trying to renew the wildcard certificate for our main domain. The CSR is generated elsewhere ( ie not on the F5 ), and have the cert/key from a CA already. The current certificate/key is ...
ASM Advanced WAF
devops
iApps
management
security
  • Cory_50405's avatar
    Cory_50405
    Apr 16, 2014

    So another option could be that you create a new certificate and key pair, and then manually edit /config/bigip.conf and replace every instance of the previous certificate and key with the new certificate and key in each of your SSL profiles. Once done, perform a 'tmsh load sys config'. This might also be a bit tedious, but less so than doing it by clicking through the GUI.

     

elastic_82555's avatar
elastic_82555
Icon for Nimbostratus rankNimbostratus

Hi, Here is the process.

 

Background reading, http://support.f5.com/kb/en-us/solutions/public/14000/600/sol14620.html14

 

  1. Backup bigip.conf
  2. import new cert/key into F5 via gui named - samenamecert170414 - ie same name but with date added on end
  3. reconfig one iApp to use new cert/key
  4. edit bigip.conf search/replace samenamecert.key and samenamecert.crt to samenamecert170414.key and samenamecert170414.crt respectively, except for 6 lines as follows, 3 for key and 3 for crt

sys file ssl-cert /Common/samenamecert.crt { cache-path /config/filestore/files_d/Common_d/certificate_d/:Common:samenamecert.crt_67272_1 ( this number will be different ) revision 1 source-path /config/ssl/ssl.crt/samenamecert.crt sys file ssl-key /Common/samenamecert.key { cache-path /config/filestore/files_d/Common_d/certificate_key_d/:Common:samenamecert.key_67268_1 ( this number will be different ) revision 1 source-path /config/ssl/ssl.key/samenamecert.key

 

  1. Relaod the config tmsh load sys config

     

  2. Delete original "samenamecert"

     

  3. import new cert/key into F5 via gui names - samenamecert - ie the original cert name
  4. reconfig one iApp to use samename cert/key ie back to the original name
  5. edit bigip.conf search/replace samenamecert170414.key and samenamecert179414.crt to samenamecert.key and samenamecert.crt respectively, except for 6 lines as follows, 3 for key and 3 for crt

sys file ssl-cert /Common/samenamecert170414.crt { cache-path /config/filestore/files_d/Common_d/certificate_d/:Common:samenamecert170414.crt_67272_1 ( this number will be different ) revision 1 source-path /config/ssl/ssl.crt/samenamecert170414.crt sys file ssl-key /Common/samenamecert170414.key { cache-path /config/filestore/files_d/Common_d/certificate_key_d/:Common:samenamecert170414.key_67268_1 ( this number will be different ) revision 1 source-path /config/ssl/ssl.key/samenamecert170414.key

 

  1. tmsh load sys config
  2. delete the samenamecert170414 cert/key
  3. Check the cert has the correct serial number. IMPORTANT! System ›› File Management : SSL Certificate List ›› samenamecert
  4. Check via a browser that you are getting the correct certificate served, taking a stastically valid sample of your affected domains/applications
  5. Job done.

Pretty simple really. All due to a certificate change. This should really be so much easier.

 

NB. Currently I have only done this on the standby node. I am awating permission to failover and do a replication. Will update as soon as...

 

Cory_50405's avatar
Cory_50405
Icon for Noctilucent rankNoctilucent
Apr 17, 2014
Your thoroughness and attention to detail is impressive.
Related Content