Forum Discussion

Carlos_Colon_24's avatar
Carlos_Colon_24
Icon for Nimbostratus rankNimbostratus
Oct 19, 2016

Renewing SSL certificate for SSL offload - question regarding CSR creation

We are doing SSL Offload (encrypt to clients, plaintext to servers) using a cert that needs to be renewed. The server admin sent us the .crt and .key files that apparently he generated from the server. However, since the F5 is the one handling the SSL encryption (and not the server), shouldn't the CSR be generated from the F5? I am wondering if I can use the renewed cert as provided and continue to do SSL Offload. Thank you!

 

application delivery
LTM
  • AJ_01_135899's avatar
    AJ_01_135899
    Oct 19, 2016

    If you have both the key and the cert, it shouldn't matter that it was generated on the server itself. Just import them both and configure the Client SSL profile to apply to the VIP.

     

  • AJ_01_135899's avatar
    AJ_01_135899
    Icon for Cirrostratus rankCirrostratus
    Oct 19, 2016

    If you have both the key and the cert, it shouldn't matter that it was generated on the server itself. Just import them both and configure the Client SSL profile to apply to the VIP.

     

    • Ashish_Chakrava's avatar
      Ashish_Chakrava
      Icon for Nimbostratus rankNimbostratus
      Oct 19, 2016
      1. Do it after hours
      2. Take backup before cert update as something goes down you can rollback.
      3. Upload the cert
      4. And call it on your SSL profile.
    • Carlos_Colon_24's avatar
      Carlos_Colon_24
      Icon for Nimbostratus rankNimbostratus
      Oct 19, 2016

      Thank you, Ashish! I backed up the F5 configuration this morning. The customer wants it renewed asap so I may not be able to wait until after hours. I will try to wait until late in the day.

       

  • The_Y's avatar
    The_Y
    Icon for Cirrus rankCirrus
    Oct 19, 2016

    Yes you can. It doesn't matter where the cert is generated. As long as the cert is good you can use it.

     

  • Carlos_Colon_24's avatar
    Carlos_Colon_24
    Icon for Nimbostratus rankNimbostratus
    Oct 19, 2016

    One last thing, are there any concerns with updating the Client SSL Profile in the middle of the day as long as I can make sure that the cert is good beforehand?

     

  • The_Y's avatar
    The_Y
    Icon for Cirrus rankCirrus
    Oct 19, 2016

    The one thing you need to be aware of is that once you replace the cert with the new one any currently established connection will have to be re-negotiated.

     

  • AJ_01_135899's avatar
    AJ_01_135899
    Icon for Cirrostratus rankCirrostratus
    Oct 19, 2016

    Obviously the safe answer would be to wait until after hours.

     

    That said, this would be a quick rollout and rollback. To make the rollout and rollback faster you could create a new Client SSL profile (assuming there's only one VIP using this Client SSL profile), and just apply the new profile to the VIP. Rollback would be reverting to the old profile.

     

    Just for thoroughness' sake, are there any intermediate certificates in the existing Client SSL profile?

     

  • Carlos_Colon_24's avatar
    Carlos_Colon_24
    Icon for Nimbostratus rankNimbostratus
    Oct 19, 2016

    Thank you, AJ! There are intermediate certs in the existing Client SSL profile. One weird thing is that the cert is from InCommon but the chain is from Thawte. Not sure why it was setup that way.

     

  • Carlos_Colon_24's avatar
    Carlos_Colon_24
    Icon for Nimbostratus rankNimbostratus
    Oct 21, 2016

    Thanks again for your help, AJ! Your 'just for thoroughness' sake' comment allowed me to notice that there were duplicate Client SSL profiles and to ignore/delete the one that had the chain from Thawte!