Forum Discussion

Michel_Lepage_S's avatar
Michel_Lepage_S
Icon for Nimbostratus rankNimbostratus
Jul 29, 2016

Update only one specific SSL certificate in a bundle

Hello everyone

 

For a client I configured a VS to do SSL Client Certificate verification with APM. They have around 80 partners that access that VS and each has its own certificate identified by a number.

 

Also each client certificate has been issued by its own CA also identified by that same number

 

All certificates are part of a bundle and that bundle is specified as the ca-file in the SSL profile

 

ltm profile client-ssl /Common/services.ssl_client_prof_2 { app-service none ca-file /Common/certsbundle.crt cert /Common/services.crt

 

cert-key-chain { services_Intermediate_CA_bundle { cert /Common/services.crt chain /Common/Intermediate_CA_bundle.crt key /Common/services_key.key } } chain /Common/Intermediate_CA_bundle.crt defaults-from /Common/services_ssl_client_prof inherit-certkeychain false key /Common/services_key.key passphrase none }

 

That bundle is in PEM format and each partner section is identified by their number

 

example:

 

inline ca-certificate 6003-0780 "end-6003-0780" -----BEGIN CERTIFICATE---- "Encrypted Certificate" -----END CERTIFICATE----- end-6003-0780

 

They often have to update one of the certificates in the bundle.

 

What is the easiest and reliable way to do this. Is there a command that could replace the section of the file and importing the certificates following the change (keeping the same name as specified in the profile)

 

Maybe not the best way to do this, I am thinking of proposing them to only use one CA to issue all the certificates. Would there be any security issues that would arise by doing that

 

Thank you

 

  • The only way to do this would be to edit the pem file to exclude or replace the relevant certificate and replace the certificate on the BigIP with the new certificate. There really isn't a way to do this "in place". You could issue and revoke certificates from a central CA, but I don't know how much that would get you in this use case.