Forum Discussion
elastic_82555
Nimbostratus
NimbostratusCannot Renew Certifcate and private key ( but keep the same name in F5 config )
Hi,
Am trying to renew the wildcard certificate for our main domain. The CSR is generated elsewhere ( ie not on the F5 ), and have the cert/key from a CA already. The current certificate/key is ...
So another option could be that you create a new certificate and key pair, and then manually edit /config/bigip.conf and replace every instance of the previous certificate and key with the new certificate and key in each of your SSL profiles. Once done, perform a 'tmsh load sys config'. This might also be a bit tedious, but less so than doing it by clicking through the GUI.
nitass
Employee
Employeethis is my testing. is it same as yours?
0. existing certificate and key
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
destination 172.28.24.10:443
ip-protocol tcp
mask 255.255.255.255
pool foo
profiles {
myclientssl {
context clientside
}
tcp { }
}
source 0.0.0.0/0
source-address-translation {
type automap
}
vs-index 17
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile client-ssl myclientssl
ltm profile client-ssl myclientssl {
app-service none
cert-key-chain {
one {
cert one.crt
key one.key
}
}
defaults-from clientssl
}
1. verify certificate from virtual server
[root@ve11a:Active:In Sync] config echo | openssl s_client -connect 172.28.24.10:443 2>/dev/null | openssl x509 -noout -subject -issuer
subject= /C=US/CN=one
issuer= /C=US/CN=one
2. install new certificate and key
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) install sys crypto cert two from-local-file /var/tmp/two.crt
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) install sys crypto key two from-local-file /var/tmp/two.key
3. verify new certificate and key
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys crypto cert two.crt
sys crypto cert two.crt {
certificate-key-size 2048
city
common-name two
country US
email-address
expiration Apr 22 08:31:58 2015 GMT
organization
ou
public-key-type RSA
state
subject-alternative-name
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys crypto key two.key
sys crypto key two.key {
key-size 2048
key-type rsa-private
security-type normal
}
4. save configuration
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) save sys config
Saving running configuration...
/config/bigip.conf
/config/bigip_base.conf
/config/bigip_user.conf
Saving Ethernet mapping...done
5. manually modify bigip.conf
ltm profile client-ssl /Common/myclientssl {
app-service none
cert-key-chain {
one {
cert /Common/two.crt
key /Common/two.key
}
}
defaults-from /Common/clientssl
}
6. reload configuration
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) load sys config
Loading system configuration...
/defaults/asm_base.conf
/defaults/config_base.conf
/defaults/low_profile_base.conf
/defaults/low_security_base.conf
/defaults/policy_base.conf
/defaults/wam_base.conf
/defaults/analytics_base.conf
/defaults/apm_saml_base.conf
/defaults/app_template_base.conf
/defaults/classification_base.conf
/defaults/daemon.conf
/defaults/fullarmor_gpo_base.conf
/defaults/profile_base.conf
/defaults/sandbox_base.conf
/defaults/security_base.conf
/defaults/urldb_base.conf
/usr/share/monitors/base_monitors.conf
Loading configuration...
/config/bigip_base.conf
/config/bigip_user.conf
/config/bigip.conf
7. verify certificate from virtual server
[root@ve11a:Active:In Sync] config echo | openssl s_client -connect 172.28.24.10:443 2>/dev/null | openssl x509 -noout -subject -issuer
subject= /C=US/CN=two
issuer= /C=US/CN=two
elastic_82555Nimbostratus
NimbostratusHi, without being exhaustive it looks similar. However, the only way to identify new certs versus old is with the serial number/fingerprint, so command used locally...
echo | openssl s_client -connect 10.1.2.11:443 2>&1|openssl x509 -noout -serial
This should print out your serial number of your cert. Old and new certs should have different serial numbers
