Mic_108850
May 13, 2010Altostratus
issue when renew certificate on BIG-IP v10.1
Get the SSL Key and Cert imported and paired in the SSL Certificates store on the F5, and then update SSL Profile to point to the new SSL Certificate.
Local Traffic -> Profiles
Then on the top row: SSL -> Client
Update the SSL Profile that is applied to the Virtual Server in question, and then you will see the new SSL Certificate.
in fact, i have not been accurate. It's not a renew, it's just an import of the new key from Thawte for the same certificate which will expire tomorrow.
So i've just imported the new key and now i see the new expiration date on Local Traffic ›› SSL Certificates ›› certificate
The client SSL profile was already attached the the virtual server
The key is is the secret part of the key pair that was created when you (Or someone else) created the CSR... (A CSR is the public key, plus attributes, e.g. cn= etc.).
The cert is the CSR that has been cryptographically signed by the CA's private key (So you can use their public key to check the signing).
It's the CERT that changes... Not the key... (For a renewal you take the same keypair and basically resubmit it to the CA for signing again wit a new expiry date - hence the cert is different). I'll reiterate again that I don't recommend reusing the same for a renewal. Much better to re-create a new keypair using the currently supported max length (Currently 2048 which is also the minimum you should be using).
H
I'm not sure how long the tmm will cache it for either... Maybe forever... (I saw a fix in 10.2.0 for cached certs, but didn't read it fully to see if it would fix the problem you're seeing).
You may have to force a change... If you copy the clientssl profile to a new one (i.e. different name, same parameters, cert & key) and then change the profile on the VS it should force tmm to load the new copy of the cert... You can then change the profile back to the original one and remove the copy.
H
SOL10561: The BIG-IP system may not use a renewed SSL certificate
https://support.f5.com/kb/en-us/solutions/public/10000/500/sol10561.html
Aaron