Forum Discussion
NimbostratusSSL Certs Renew vs. ReIssue (replace)
We have previously just renewed certificated by generating CRS and then submitting to our in house team to supply a new certificate. That team have now replaced the environment with a PKI managed one where we can get our own by submitting a call to their back end. All good and have this working. However they do not action CSRs anymore but re-issue (not renewed) certificates, which is a problem. If I try to import the .pem into an existing certificate I am faced with an error "xxx's key and certificate do not match", which they wouldn't as they're new. I cannot delete the old one as it's in use by an SSL profile.
Has anyone any thoughts of a way forward ?
Greetings,
It sounds like you'll need to have them generate a pkcs12 (.pfx) file for you. This file is typically passphrase protected and contains both the certificate and key. You can then upload to BIG-IP and associate with the SSL profile.Consider using a naming scheme such as:
etc.
Hope this is helpful!
Kevin
Peter_BevingtonThanks, they do provide exactly that, but it cannot be imported into the F5, it has to be a .pem file. The real issue is that it's a reissue as opposed to a renewal. Effectively a brand new certificate and key which cannot be imported in to an existing defined certificate used by an SSL profile.
- Peter_Bevington
I raised a ticket with F5 support to verify, their response:
F5: You can import the new certificate and key as new SSL objects, and then edit the appropriate SSL profiles to use the new certificate/key and chain.
I Asked: but what if that cert is used in many ssl profiles?
F5: Unfortunately, you will need to identify and update all those SSL profiles. I'd also recommend consolidating those profiles (where possible) to reduce the number of unique ssl profiles that use the same key/certificate/chain.
We have no mechanism to set the key and certificate simultaneously apart from creating a new SSL key and certificate from the PEM file. Attempting to update either the key or the certificate will cause a validation failure and prevent the operation from completing. As you note, replacing a certificate generated from the same key is a seamless operation which does not require that SSL profiles have to be updated.
I'm sorry I do not have any better approach for you to try
Hi Peter,
That all seems correct to me unfortunately. If you need help identifying, perhaps use TMSH?tmsh list ltm profile client-ssl all | grep -i 'profile\|.crt'So for certificate named default.crt:
tmsh list ltm profile client-ssl all | grep -i 'profile\|default.crt'
Hi Peter,
I hope this helps with importing the pkcs12, let us know!https://support.f5.com/csp/article/K146205
Thanks,
Kevin- Peter_Bevington
Using a .p12 allows the replacement of the cert and key pair where using a .pem file does not, odd but true.
For syntax see: https://support.f5.com/csp/article/K154625
11.5.0 and later: install sys crypto pkcs12 .p12 from-local-file /shared/tmp/.p12 passphrase
11.0.0 - 11.4.1: install sys crypto pkcs12 .p12 from-local-file /shared/tmp/.p12 prompt-for-password
