Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Renewing SSL certificate for SSL offload - question regarding CSR creation

We are doing SSL Offload (encrypt to clients, plaintext to servers) using a cert that needs to be renewed. The server admin sent us the .crt and .key files that apparently he generated from the server. However, since the F5 is the one handling the SSL encryption (and not the server), shouldn't the CSR be generated from the F5? I am wondering if I can use the renewed cert as provided and continue to do SSL Offload. Thank you!

0
Rate this Question
Comments on this Question
Comment made 19-Oct-2016 by Carlos Colon 54

One last thing, are there any concerns with updating the Client SSL Profile in the middle of the day as long as I can make sure that the cert is good beforehand?

0
Comment made 19-Oct-2016 by The Y 210

The one thing you need to be aware of is that once you replace the cert with the new one any currently established connection will have to be re-negotiated.

0
Comment made 19-Oct-2016 by AJ 01 250

Obviously the safe answer would be to wait until after hours.

That said, this would be a quick rollout and rollback. To make the rollout and rollback faster you could create a new Client SSL profile (assuming there's only one VIP using this Client SSL profile), and just apply the new profile to the VIP. Rollback would be reverting to the old profile.

Just for thoroughness' sake, are there any intermediate certificates in the existing Client SSL profile?

0
Comment made 19-Oct-2016 by Carlos Colon 54

Thank you, AJ! There are intermediate certs in the existing Client SSL profile. One weird thing is that the cert is from InCommon but the chain is from Thawte. Not sure why it was setup that way.

0
Comment made 21-Oct-2016 by Carlos Colon 54

Thanks again for your help, AJ! Your 'just for thoroughness' sake' comment allowed me to notice that there were duplicate Client SSL profiles and to ignore/delete the one that had the chain from Thawte!

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

If you have both the key and the cert, it shouldn't matter that it was generated on the server itself. Just import them both and configure the Client SSL profile to apply to the VIP.

0
Comments on this Answer
Comment made 19-Oct-2016 by Carlos Colon 54

thank you!! let me give it a shot.

0
Comment made 19-Oct-2016 by Ashish.Chakravarty 162
  1. Do it after hours
  2. Take backup before cert update as something goes down you can rollback.
  3. Upload the cert
  4. And call it on your SSL profile.
0
Comment made 19-Oct-2016 by Carlos Colon 54

Thank you, Ashish! I backed up the F5 configuration this morning. The customer wants it renewed asap so I may not be able to wait until after hours. I will try to wait until late in the day.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Yes you can. It doesn't matter where the cert is generated. As long as the cert is good you can use it.

0
Comments on this Answer
Comment made 19-Oct-2016 by Carlos Colon 54

very cool. Thank you!

0
Comment made 20-Oct-2016 by Ashish.Chakravarty 162

good luck

0