Forum Discussion
AltostratusOverwriting a cert and key without deleting the Client-SSL-profile
Hi, we are in a process of renewing hundreds of certificates in our enterprise. I am looking for an efficient solution here. My idea is to import the new cert and key into the existing cert/key so that all SSL-profiles get updated automatically (where ever the cert/key are being used). I tried doing this by importing and then selecting "overwrite", but it gives me an error that no matching key and vice-versa if i try overwriting a key. The only way it would overwrite them is if I delete the client-ssl-profile. Is there a way to overwrite the cert/key without deleting the client-ssl-profiles?
2 Replies
IainThomson85_1Cumulonimbus
You could, but you'd need to be reasonably confident with UNix on the back end and copy the "New SSL" Cert and overwrite the old one. (Moving the existing first to a tmp folder)
What I would suggest. Import your new keys/cert pairs (I know there may be a lot) - Append the name with _2016 for example. Create new SSL profiles which default from the existing profiles, but change key/cert used. Attach your new profiles to your vips.
This way you're protecting yourself from a rollback perspective, you may just need to rollback services that are affected.
Its a difficult one, but once you've done 1, (I suggest doing it via TMSH) the rest should flow pretty easily.
- Kai_Wilke
MVP
Hi Sandevsingh,
a Virtual Server is pointing to SSL Profiles and SSL Profiles are pointing to Certs, Keys and Chains.
If a cert, key and chain is renewed, then I tend to simply import the new ones (e.g. www.domain.de_2016 / www.domain.de_2016_chain). After the cert, key and chain are succesfully imported, I simply change the SSL Profiles where those certificated are attached to.
So there is no need to delete/recreate a SSL_Profile and/or to touch every individual Virtual Servers where those certificates are bound to...
Cheers, Kai
