Forum Discussion

Mic_108850's avatar
Mic_108850
Icon for Altostratus rankAltostratus
May 13, 2010

issue when renew certificate on BIG-IP v10.1

i renew the certificate for mydomaine

 

i imported the new one provided by Thawte using 'import' function on the existing certificate

 

it seems ok on the big-ip, i see the new expire date but when i go to the browser:

 

i see the expiration date and not the new one !

 

 

like if the new one has been installed but not take in account for the https access.

 

Did you encounter this issue?

 

 

config
design

8 Replies

  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    May 13, 2010
    SSL Certificate renewal is in two parts on the F5.

     

     

    Get the SSL Key and Cert imported and paired in the SSL Certificates store on the F5, and then update SSL Profile to point to the new SSL Certificate.

     

     

    Local Traffic -> Profiles

     

     

    Then on the top row: SSL -> Client

     

     

    Update the SSL Profile that is applied to the Virtual Server in question, and then you will see the new SSL Certificate.

     

  • Mic_108850's avatar
    Mic_108850
    Icon for Altostratus rankAltostratus
    May 13, 2010
    hi ,

     

    in fact, i have not been accurate. It's not a renew, it's just an import of the new key from Thawte for the same certificate which will expire tomorrow.

     

    So i've just imported the new key and now i see the new expiration date on Local Traffic ›› SSL Certificates ›› certificate

     

    The client SSL profile was already attached the the virtual server
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    May 13, 2010
    Wrong terminology...

     

     

    The key is is the secret part of the key pair that was created when you (Or someone else) created the CSR... (A CSR is the public key, plus attributes, e.g. cn= etc.).

     

     

    The cert is the CSR that has been cryptographically signed by the CA's private key (So you can use their public key to check the signing).

     

     

    It's the CERT that changes... Not the key... (For a renewal you take the same keypair and basically resubmit it to the CA for signing again wit a new expiry date - hence the cert is different). I'll reiterate again that I don't recommend reusing the same for a renewal. Much better to re-create a new keypair using the currently supported max length (Currently 2048 which is also the minimum you should be using).

     

     

    H
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    May 13, 2010
    Oh... If you've re-imported a new cert for an existing key, the system doesn't know the cert has changed (It's still using the cached copy).

     

     

    I'm not sure how long the tmm will cache it for either... Maybe forever... (I saw a fix in 10.2.0 for cached certs, but didn't read it fully to see if it would fix the problem you're seeing).

     

     

    You may have to force a change... If you copy the clientssl profile to a new one (i.e. different name, same parameters, cert & key) and then change the profile on the VS it should force tmm to load the new copy of the cert... You can then change the profile back to the original one and remove the copy.

     

     

    H
  • Mic_108850's avatar
    Mic_108850
    Icon for Altostratus rankAltostratus
    May 13, 2010
    right, i think that is what's happening. the old one is probably in cache in TMM...i'm going to try what you told me
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    May 13, 2010
    You can also click update on the client SSL profile to force TMM to reread the cert/key files:

     

     

    SOL10561: The BIG-IP system may not use a renewed SSL certificate

     

    https://support.f5.com/kb/en-us/solutions/public/10000/500/sol10561.html

     

     

    Aaron