Forum Discussion

Raghu_Nair_7463's avatar
Icon for Nimbostratus rankNimbostratus
Jan 10, 2012

How to update SSL Client Profile after importing the renewed certificate

I came to know forums we have to update the client SSL profile after updating the renewed certificate / keys. Is it true ?



I dont see any API for this under -> iControl.LocalLB.ProfileClientSSL


or just setting key and certificate file ( iControl.LocalLB.ProfileClientSSL.set_key_file , set_certificate_file) will update the client profile ?





I am automating the certificate renewal process.








9 Replies

  • I am designing automation program for Cert Renewal for BIG-IP 9.x version onwards using the iControl API.
  • So I need to make a working solution for all versions which support iControl API ( 9.x onwards).
  • Most of the functions listed here will work for 9.x on:
  • We've found that you can't just replace the file and expect the existing Profile tied to the file to notice. Had to forcefully do a config reload from the CLI if memory serves me correct. Probably the best approach is to create a new profile with the new certificate and just flip the VIP over to new profile. Optionally delete old profile and cert...
  • I wonder what Admin screen does or what API it invokes (Local Traffic -> Profiles -> SSL- Client) when clicking update button.



    From the following -



    discussion Hamish is mentioning about copying the client profile to new one and re-copy it. But I was wondering is there any Programatic way do Client Profile update after renewing the certificate .





  • I found one more solution to it but this requires ssh login to the box. using the following command "bigpipe load" with users permission as the user may loose session data while doing this.


    Referred Article :





  • You can click update on each SSL profile which references the updated cert/key files. This will not have any affect on live traffic like reloading the full configuration would.



    Note that this was fixed in v11.0 so you can import a new cert or key from the GUI or tmsh and each SSL profile which references the files will load the new file automatically.



  • I was just searching for a solution to this behavior, and this is one of the first links that came I thought I would drop by and post the official Solution Article on this:

    SOL13345: The BIG-IP system may incorrectly associate a newly- imported SSL certificate/key pair to other SSL profiles


    For a BIG-IP system that has already encountered this issue, you can recover the BIG-IP system by reloading the configuration or updating the SSL profiles. To do so, perform any of the following procedures:

    Reloading the configuration

    Updating SSL profiles

    Reloading the configuration

    Impact of workaround: Traffic processing is briefly interrupted while the configuration reloads.

    Log in to the Traffic Management Shell (tmsh) by entering the following command:


    Note: If you are currently logged in to the tmsh shell, you can skip this step.

    Reload the BIG-IP configuration by typing the following command:

    load /sys config
    Updating SSL profiles

    Impact of Workaround: None.

    Log in to the BIG-IP Configuration utility.
    Navigate to Local Traffic > Profiles > SSL > Client or Server, depending on the affected SSL profiles.
    Click the name of the affected SSL profile.
    Click Update.
    Repeat Steps 2 through 4 for the remaining affected SSL profiles.


    Type of Fix -   Versions Fixed  -   Related Articles
    Release     -   11.2.0          -   SOL2200: Most recent versions of F5 software
    Hotfix      -   11.1.0 HF2      -   SOL9502: BIG-IP hotfix matrix