For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chris_56952's avatar
Chris_56952
Icon for Nimbostratus rankNimbostratus
Oct 24, 2015

I won't say this is a best practice but I never renew certs on my BigIP ssl terminated VIPs. I generate new keys several weeks prior to the expiration time. I then submit the CSR for the new certificate and create new ssl client profiles once the new certificate is received. (My CA doesn't charge less for renewals vs. new) When implementing the change, I apply the new client ssl profile to the virtual server (so I have the previous one available to back out to if necessary). There is no downtime unless there is a mistake made when setting up the new client ssl profile but, this way, you have the old one to revert back to if there is a problem. (And, lately, with the whole SHA1 to SHA2 migration, disabling RC4 ciphers or SSLv3, adding GCM ciphers or those supporting Forward Secrecy, there could be problems, especially with older clients...) As soon as the new profile is applied, new client connections will use the new cert and existing clients will have to re-do the ssl handshake.

 

Once you set the new client ssl profile on the VIP, use the tools provided by the CA to ensure the certificate chain is accurate (assuming they offer one) and you're all set.