Forum Discussion

F5_324021's avatar
F5_324021
Icon for Cirrus rankCirrus
Oct 05, 2017

Exporting SSL Certificate to another BIG IP

Hello,

 

We are upgrading our F5 boxes and we need to to move all the traffic SSL certificates to a new box.

 

The certificates that are on the old box was signed by a CA after generating a CSR from the box itself.

 

Should we do the same for the new box or simply export the signed SSL traffic certificate to it without resigning the Cert from a new CSR generated from the new box.

 

Please advise.

 

Thank you.

 

  • I have done the changes successfully, and it worked by simply uploading the signed cert with the key and the cert key chain from the signed authority side.

     

    Thanks :)

     

9 Replies

  • Hi

     

     

    Based on your explanation, it seems the certs are all self-signed and they are already associated with with virtual servers through client or server ssl profiles.

     

    If that is the case, I would vote for recreating self-signed certs and key on the new box but use the same cert and key name so that you don't need to change anything from existing client or server ssl profile.

     

    One catch would be to import certs and key first before you import client and server ssl profiles.

     

    • RaghavendraSY's avatar
      RaghavendraSY
      Icon for Altostratus rankAltostratus

      You can export certificates and key from F5-A and import in F5-B. While importing please import both certificate and key separately. It works fine and we did same in our environment

       

    • RaghavendraSY's avatar
      RaghavendraSY
      Icon for Altostratus rankAltostratus

      Import both certificate and key separately with same name.

       

    • F5_324021's avatar
      F5_324021
      Icon for Cirrus rankCirrus

      Hello ,

       

      Thanks for your replies,

       

      So no need to regenerate a CSR from the new box?

       

      simply exporting the SSL traffic Cert and its key will work?without the CSR presented on the box?

       

  • Snl's avatar
    Snl
    Icon for Cirrostratus rankCirrostratus

    you can use certificate archive option were you can select key and certificate and restore to another bigip without any issue

     

  • I have done the changes successfully, and it worked by simply uploading the signed cert with the key and the cert key chain from the signed authority side.

     

    Thanks :)