For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Peter_Bevington's avatar
Peter_Bevington
Icon for Nimbostratus rankNimbostratus
Nov 14, 2017

SSL Certs Renew vs. ReIssue (replace)

We have previously just renewed certificated by generating CRS and then submitting to our in house team to supply a new certificate. That team have now replaced the environment with a PKI managed one...
application delivery
certificate
LTM
ssl
TMSH
Peter_Bevington's avatar
Peter_Bevington
Icon for Nimbostratus rankNimbostratus
Nov 15, 2017

I raised a ticket with F5 support to verify, their response:

 

F5: You can import the new certificate and key as new SSL objects, and then edit the appropriate SSL profiles to use the new certificate/key and chain.

 

I Asked: but what if that cert is used in many ssl profiles?

 

F5: Unfortunately, you will need to identify and update all those SSL profiles. I'd also recommend consolidating those profiles (where possible) to reduce the number of unique ssl profiles that use the same key/certificate/chain.

 

We have no mechanism to set the key and certificate simultaneously apart from creating a new SSL key and certificate from the PEM file. Attempting to update either the key or the certificate will cause a validation failure and prevent the operation from completing. As you note, replacing a certificate generated from the same key is a seamless operation which does not require that SSL profiles have to be updated.

 

I'm sorry I do not have any better approach for you to try

 

  • Kevin_K_51432's avatar
    Kevin_K_51432
    Historic F5 Account
    Nov 15, 2017

    Hi Peter,

    That all seems correct to me unfortunately. If you need help identifying, perhaps use TMSH? 
    tmsh list ltm profile client-ssl all | grep -i 'profile\|.crt'

    So for certificate named default.crt:

    tmsh list ltm profile client-ssl all | grep -i 'profile\|default.crt'