Forum Discussion

Ottimo_Massimo_'s avatar
Ottimo_Massimo_
Icon for Nimbostratus rankNimbostratus
Jan 17, 2012

Go Daddy gd_bundle.crt

Hi,

 

 

 

One of our SSL certificates is due for renewal. For complicated reasons the management of our account with Go Daddy is maintained by another department. This department has requested and been provided with a new certificate for our domain (go.test.com for example) along with a gd_bundle.crt intermediate certificate bundle.

 

 

 

So, the request for a renewed certificate was not made from the LTM, rather via the Go Daddy website.

 

 

 

My question is, if a Go Daddy intermediate certificate bundle is already present on our LTM (expiry date not linked to the expiry date for the certificate assigned to go.test.com) , is there any need to replace the existing Go Daddy intermediate certificate bundle with the contents of the new gd_bundle.crt certificate?

 

 

 

If so, should the following process be sufficient to renew the certificate:

 

 

 

Via the LTM GUI select Local Traffic -> SSL Certificates -> go.test.com certificate -> Import -> Paste Text (paste the new certificate between BEGIN and END markers) -> Import

 

 

 

Thanks in advance!

 

6 Replies

  • My question is, if a Go Daddy intermediate certificate bundle is already present on our LTM (expiry date not linked to the expiry date for the certificate assigned to go.test.com) , is there any need to replace the existing Go Daddy intermediate certificate bundle with the contents of the new gd_bundle.crt certificate?sometime CA changes their intermediate certificate, so i think it had better check whether it is a new intermediate certificate or not. if not, you do not need to change your existing one.

     

     

    Via the LTM GUI select Local Traffic -> SSL Certificates -> go.test.com certificate -> Import -> Paste Text (paste the new certificate between BEGIN and END markers) -> Importyes

     

     

    just in case you have not yet seen this sol.

     

     

    sol10561: The BIG-IP system may not use a renewed SSL certificate

     

    http://support.f5.com/kb/en-us/solutions/public/10000/500/sol10561.html?sr=18764241
  • Hi Nitass,

     

     

    Thanks very much for the quick reply. The existing and new Go Daddy intermediate certificate bundles have the same expiry date. And a quick diff on each reports no differences, so it looks like they're identical.

     

     

    Thanks for the tip on sol10561. I've come across this before and from what I can remember following those steps resolved any odd issues with the VIP(s) not picking up the new certificate. As a last resort, I can always re-apply the VIP configuration via the cli!
  • Should probably mention, that the go.test.com certificate profile references chain GoDaddy_Intermediate_Certificate.crt which contains the first entry in the chain provided by gd_bundle.crt.

     

     

    Time for a refresher course in ssl certificates I think! Any recommendations?
  • nowadays most CA uses two level intermediate certificates (two certificates in chain). i see there are 2 intermediate certificates and 1 root certificate in gd_bundle.crt. shouldn't your intermediate contain two certificates?
  • That's a good question. I'm not 100% sure why this is the case. GoDaddy_Intermediate_Certificate.crt was created by somebody else and based on all the evidence seems to be working fine. I'll try to do some digging and get back to you.

     

     

    Thanks again!
  • I'm not 100% sure why this is the case. GoDaddy_Intermediate_Certificate.crt was created by somebody else and based on all the evidence seems to be working fine.i understand it is working fine most of the time because intermediate certificates have been pre-installed on client machine i.e. they comes with operating system or software/patch update.