Forum Discussion
Michel_Lepage_S
Nimbostratus
NimbostratusUpdate only one specific SSL certificate in a bundle
Hello everyone
For a client I configured a VS to do SSL Client Certificate verification with APM. They have around 80 partners that access that VS and each has its own certificate identified by a number.
Also each client certificate has been issued by its own CA also identified by that same number
All certificates are part of a bundle and that bundle is specified as the ca-file in the SSL profile
ltm profile client-ssl /Common/services.ssl_client_prof_2 { app-service none ca-file /Common/certsbundle.crt cert /Common/services.crt
cert-key-chain { services_Intermediate_CA_bundle { cert /Common/services.crt chain /Common/Intermediate_CA_bundle.crt key /Common/services_key.key } } chain /Common/Intermediate_CA_bundle.crt defaults-from /Common/services_ssl_client_prof inherit-certkeychain false key /Common/services_key.key passphrase none }
That bundle is in PEM format and each partner section is identified by their number
example:
inline ca-certificate 6003-0780 "end-6003-0780" -----BEGIN CERTIFICATE---- "Encrypted Certificate" -----END CERTIFICATE----- end-6003-0780
They often have to update one of the certificates in the bundle.
What is the easiest and reliable way to do this. Is there a command that could replace the section of the file and importing the certificates following the change (keeping the same name as specified in the profile)
Maybe not the best way to do this, I am thinking of proposing them to only use one CA to issue all the certificates. Would there be any security issues that would arise by doing that
Thank you
Chris_GrantEmployee
The only way to do this would be to edit the pem file to exclude or replace the relevant certificate and replace the certificate on the BigIP with the new certificate. There really isn't a way to do this "in place". You could issue and revoke certificates from a central CA, but I don't know how much that would get you in this use case.