For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

sandy16's avatar
sandy16
Icon for Altostratus rankAltostratus
Sep 07, 2016

Overwriting a cert and key without deleting the Client-SSL-profile

Hi, we are in a process of renewing hundreds of certificates in our enterprise. I am looking for an efficient solution here. My idea is to import the new cert and key into the existing cert/key so th...
application delivery
LTM
IainThomson85_1's avatar
IainThomson85_1
Icon for Cumulonimbus rankCumulonimbus
Sep 08, 2016

You could, but you'd need to be reasonably confident with UNix on the back end and copy the "New SSL" Cert and overwrite the old one. (Moving the existing first to a tmp folder)

 

What I would suggest. Import your new keys/cert pairs (I know there may be a lot) - Append the name with _2016 for example. Create new SSL profiles which default from the existing profiles, but change key/cert used. Attach your new profiles to your vips.

 

This way you're protecting yourself from a rollback perspective, you may just need to rollback services that are affected.

 

Its a difficult one, but once you've done 1, (I suggest doing it via TMSH) the rest should flow pretty easily.