Forum Discussion

matus_c_59161's avatar
matus_c_59161
Icon for Nimbostratus rankNimbostratus
Apr 18, 2013

SSL certificate renewal

Hi Guys,

 

 

As in the past (in v10) I've seen the certificate re-import (i.e. overwriting a existing certificate by a new certificate) was not fully transparent to the SSL profile and the related SSL profile had to be updated in order the use the re-newed certificate (even though the certificate name was unchanged).

 

 

v11 should be OK, as it uses more sophisticated method (by automatically modifying the certificate extension in the file system while keeping the cert name unchanged in the GUI).

 

 

this happens in the background when you re-import (modify existing) certificate (or cert bundle) in v11:

 

 

directory

 

/config/filestore/files_d/Common_d/certificate_d

 

 

cert bundle file

 

before the re-import

 

-rw-r--r-- 1 tomcat tomcat 4374 Aug 7 2012 :Common:CA_chain.crt_1

 

 

cert bundle file

 

after the re-import

 

-rw-r--r-- 1 tomcat tomcat 19806 Apr 18 10:45 :Common:CA_chain.crt_2

 

 

 

the "_x" increments with every re-import.

 

 

-----------------------

 

v10 is a different story and therefore I would like to know how safe it is to overwrite a certificate that's currently used by a SSL profile.

 

 

Imagine you've got one SSL certificate that is used by 60 SSL profiles and that certificate expires and you have to renew it.

 

Can you just overwrite the existing certificate by importing the new cartificate (basically by overwriting it) without touching the SSL profile ?

 

Otherwise you would need to manually update all 60 SSL profiles.

 

 

Thanks

 

config
design

3 Replies

  • matus_c_59161's avatar
    matus_c_59161
    Icon for Nimbostratus rankNimbostratus
    Apr 18, 2013
    just found this : https://devcentral.f5.com/community/group/aft/2160830/asg/51

     

     

    "Note that this was fixed in v11.0 so you can import a new cert or key from the GUI or tmsh and each SSL profile which references the files will load the new file automatically."

     

    Do you have any official source saying this?

     

    Or has this been proved to be working?

     

     

    Thanks a lot
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Apr 18, 2013
    The issue was fixed in 11.0:

     

     

     

    sol10561: The BIG-IP system may not use a renewed SSL certificate

     

    https://support.f5.com/kb/en-us/solutions/public/10000/500/sol10561.html

     

     

    This is the result of a known issue. If you are replacing an expired SSL certificate on the BIG-IP system, and the new certificate name is the same as the existing certificate, the BIG-IP system may not use the new SSL certificate until the configuration is reloaded or the SSL profile(s) is updated.

     

     

    F5 Product Development tracked this issue as ID 248109 (formerly CR60320) and it was fixed in BIG-IP version 11.0.0.

     

     

     

    Aaron