For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Randy_Banks_470's avatar
Randy_Banks_470
Icon for Nimbostratus rankNimbostratus
Jan 15, 2016

Replacing/updating multiple cert/key pairs

I have multiple Cert/key (39) pairs that need to be replaced with updated pairs. Is there a simple way to package and replace these certs without having to first disassociate them from the profiles a...
application delivery
LTM
ssl
ssl files
Brad_Parker's avatar
Brad_Parker
Icon for Cirrus rankCirrus
Jan 15, 2016

What I tend to do is to create a tgz with the same folder structure as when exporting certs via the archive function and put all the new certs and keys in there with new names based on their subject-expiration year. i.e. one folder named ssl.crt and one named ssl.key. I then import that.

You could also upload them via sftp and import them with 

tmsh install crypto key  from-file-location
and 
tmsh install crypto cert  from-file-location
.

Then from there I just script the replacing of the cert, key, and chain(if necessary) of the client ssl profile

tmsh modify ltm profile client-ssl  cert-key-chain replace-all-with { {cert  key  chain }}

You could also easily do this via iControl as well is you wanted to. The reason you have to do this is you can not replace a key that is currently in use in a profile. You can replace a cert if it is generated from the existing key as this would be considered a renewal.

Related Content