Replacing/updating multiple cert/key pairs

Question

I have multiple Cert/key (39) pairs that need to be replaced with updated pairs. Is there a simple way to package and replace these certs without having to first disassociate them from the profiles and deleting the old pairs?

brad_parker · Answer

What I tend to do is to create a tgz with the same folder structure as when exporting certs via the archive function and put all the new certs and keys in there with new names based on their subject-expiration year.  i.e. one folder named ssl.crt and one named ssl.key.  I then import that.
You could also upload them via sftp and import them with tmsh install crypto key  from-file-location  and tmsh install crypto cert  from-file-location .
Then from there I just script the replacing of the cert, key, and chain(if necessary) of the client ssl profile
tmsh modify ltm profile client-ssl  cert-key-chain replace-all-with { {cert  key  chain }}
You could also easily do this via iControl as well is you wanted to.  The reason you have to do this is you can not replace a key that is currently in use in a profile.  You can replace a cert if it is generated from the existing key as this would be considered a renewal.

Forum Discussion

Replacing/updating multiple cert/key pairs

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

extract LTM VS ssl profile binding cert and key information to generate a json with python f5-sdk

Multiple Ways to Configure Usage Reporting in NGINX

Convergence Replacement Throwdown: Update

F5 Distributed Cloud – Multiple custom certificates for HTTP/TCP LB

Multiple Kubernetes Clusters and Path-Based Routing with F5 Distributed Cloud

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS