issue when renew certificate on BIG-IP v10.1

Question

i renew the certificate for mydomaine

&nbsp;i imported the new one provided by Thawte using 'import' function on the existing certificate
&nbsp;it seems ok on the big-ip, i see the new expire date but when i go to the
 browser:

&nbsp;i see the expiration date and not the new one !&nbsp;
&nbsp;like if the new one has been installed but not take in account for the https access.
&nbsp;Did you encounter this issue?&nbsp;&nbsp;

michael_yates · Answer

SSL Certificate renewal is in two parts on the F5. 
&nbsp;  
&nbsp; Get the SSL Key and Cert imported and paired in the SSL Certificates store on the F5, and then update SSL Profile to point to the new SSL Certificate. 
&nbsp;  
&nbsp; Local Traffic -&gt; Profiles 
&nbsp;  
&nbsp; Then on the top row:  SSL -&gt; Client 
&nbsp;  
&nbsp; Update the SSL Profile that is applied to the Virtual Server in question, and then you will see the new SSL Certificate. &nbsp;

mic_108850 · Answer

hi , 
&nbsp; in fact, i have not been accurate. It's not a renew, it's just an import of the new key from Thawte for the same certificate which will expire tomorrow. 
&nbsp; So i've just imported the new key and now i see the new expiration date on Local Traffic  ››  SSL Certificates  ›› certificate 
&nbsp; The client SSL profile was already attached the the virtual server

hamish · Answer

Wrong terminology...  
&nbsp;  
&nbsp; The key is is the secret part of the key pair that was created when you (Or someone else) created the CSR... (A CSR is the public key, plus attributes, e.g. cn= etc.).  
&nbsp;  
&nbsp; The cert is the CSR that has been cryptographically signed by the CA's private key (So you can use their public key to check the signing).  
&nbsp;  
&nbsp; It's the CERT that changes... Not the key... (For a renewal you take the same keypair and basically resubmit it to the CA for signing again wit a new expiry date - hence the cert is different). I'll reiterate again that I don't recommend reusing the same for a renewal. Much better to re-create a new keypair using the currently supported max length (Currently 2048 which is also the minimum you should be using). 
&nbsp;  
&nbsp; H

hamish · Answer

Oh... If you've re-imported a new cert for an existing key, the system doesn't know the cert has changed (It's still using the cached copy).  
&nbsp;  
&nbsp; I'm not sure how long the tmm will cache it for either... Maybe forever... (I saw a fix in 10.2.0 for cached certs, but didn't read it fully to see if it would fix the problem you're seeing). 
&nbsp;  
&nbsp; You may have to force a change... If you copy the clientssl profile to a new one (i.e. different name, same parameters, cert &amp; key) and then change the profile on the VS it should force tmm to load the new copy of the cert... You can then change the profile back to the original one and remove the copy. 
&nbsp;  
&nbsp; H

mic_108850 · Answer

right, i think that is what's happening. the old one is probably in cache in TMM...i'm going to try what you told me

Forum Discussion

issue when renew certificate on BIG-IP v10.1

8 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

Re: Get Started with BIG-IP Virtual Edition (VE), BIG-IQ VE or BIG-IP Cloud Edition Trial

Re: Becoming F5 Certified - BIG-IP Administrator Certification - 101 & 201 Exams

Quick Optimizations for F5 BIG-IP Virtual Edition

Getting Started with BIG-IP Next: Upgrading Central Manager

Re: Automate import of SSL Certificate, Key & CRL from BIG-IP to BIG-IQ