How to update SSL Client Profile after importing the renewed certificate

Hi -

 

 

What version of BIG-IP are you running?

 

 

Mark

 

I am designing automation program for Cert Renewal for BIG-IP 9.x version onwards using the iControl API.

So I need to make a working solution for all versions which support iControl API ( 9.x onwards).

Most of the functions listed here will work for 9.x on: http://devcentral.f5.com/wiki/iControl.LocalLB__ProfileClientSSL.ashx

We've found that you can't just replace the file and expect the existing Profile tied to the file to notice. Had to forcefully do a config reload from the CLI if memory serves me correct. Probably the best approach is to create a new profile with the new certificate and just flip the VIP over to new profile. Optionally delete old profile and cert...

I wonder what Admin screen does or what API it invokes (Local Traffic -> Profiles -> SSL- Client) when clicking update button.

 

 

From the following - http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/52/aft/1172367/showtab/groupforums/Default.aspx

 

 

discussion Hamish is mentioning about copying the client profile to new one and re-copy it. But I was wondering is there any Programatic way do Client Profile update after renewing the certificate .

 

 

Thanks,

 

Raghu

I found one more solution to it but this requires ssh login to the box. using the following command "bigpipe load" with users permission as the user may loose session data while doing this.

 

Referred Article : https://support.f5.com/kb/en-us/solutions/public/10000/500/sol10561.html

 

 

Thanks,

 

Raghu

You can click update on each SSL profile which references the updated cert/key files. This will not have any affect on live traffic like reloading the full configuration would.

 

 

Note that this was fixed in v11.0 so you can import a new cert or key from the GUI or tmsh and each SSL profile which references the files will load the new file automatically.

 

 

Aaron

I was just searching for a solution to this behavior, and this is one of the first links that came up...so I thought I would drop by and post the official Solution Article on this:

SOL13345: The BIG-IP system may incorrectly associate a newly- imported SSL certificate/key pair to other SSL profiles

http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13345.html?sr=35294954

Workaround

For a BIG-IP system that has already encountered this issue, you can recover the BIG-IP system by reloading the configuration or updating the SSL profiles. To do so, perform any of the following procedures:

Reloading the configuration

Updating SSL profiles

Reloading the configuration

Impact of workaround: Traffic processing is briefly interrupted while the configuration reloads.

Log in to the Traffic Management Shell (tmsh) by entering the following command:

tmsh

Note: If you are currently logged in to the tmsh shell, you can skip this step.

Reload the BIG-IP configuration by typing the following command:

load /sys config

Updating SSL profiles

Impact of Workaround: None.

Log in to the BIG-IP Configuration utility.

Navigate to Local Traffic > Profiles > SSL > Client or Server, depending on the affected SSL profiles.

Click the name of the affected SSL profile.

Click Update.

Repeat Steps 2 through 4 for the remaining affected SSL profiles.

FIXED IN

Type of Fix -   Versions Fixed  -   Related Articles
Release     -   11.2.0          -   SOL2200: Most recent versions of F5 software
Hotfix      -   11.1.0 HF2      -   SOL9502: BIG-IP hotfix matrix