Renew SSL client cert without causing outage to VS

Its my understanding that as long as you did the original CSR from the LTM, that you can just use the renew button to create a new CSR, submit it, and then import the new cert. I don't think this causes an outage, maybe a momentary interruption as the VS is updated. I've been going thru the pain of renewing certs that were first installed via PEM files from CSRs that were generated on other web servers. Simply renewing on the F5 isn't an option in that case because the keys don't match.

Here you go:

 

 

SOL7573: Renewing a Certificate Authorities signed certificate that requires a new key without overwriting the current key and certificate

 

https://support.f5.com/kb/en-us/solutions/public/7000/500/sol7573.html

 

 

SOL10561: The BIG-IP system may not use a renewed SSL certificate

 

https://support.f5.com/kb/en-us/solutions/public/10000/500/sol10561.html

 

 

Aaron

Thanks all....

 

 

But as per SOL7573:

 

 

It going to cause outage when u chnage the cert in the profile....

 

 

 

I am after a solution to upgrade cert without causing any disruption......

I'm not sure you're reading the SOL note correctly... The change doesn't usually cause an outage (YMMV there's been quite a few fixes in the past for TMM crashing when changing the cert on a profile)...

 

 

However it is generally regarded as safer to make changes of this sort during a maintenance (Or quiet) window.

 

 

Also, I'll use this opportunity to say that you should be using a NEW 2048b key pair for the CSR... Using a new key limits the damage if a key is compromised (e.g. old backup tapes, old HD's etc).

 

 

H