SSL Certs Renew vs. ReIssue (replace)

Question

We have previously just renewed certificated by generating CRS and then submitting to our in house team to supply a new certificate. That team have now replaced the environment with a PKI managed one where we can get our own by submitting a call to their back end. All good and have this working. However they do not action CSRs anymore but re-issue (not renewed) certificates, which is a problem. If I try to import the .pem into an existing certificate I am faced with an error "xxx's key and certificate do not match", which they wouldn't as they're new. I cannot delete the old one as it's in use by an SSL profile.&nbsp;
Has anyone any thoughts of a way forward ?&nbsp;

kevin_k_51432 · Answer

Greetings,&nbsp;
It sounds like you'll need to have them generate a pkcs12 (.pfx) file for you. This file is typically passphrase protected and contains both the certificate and key. You can then upload to BIG-IP and associate with the SSL profile.&nbsp;
Consider using a naming scheme such as:&nbsp;
&nbsp;
&nbsp;
etc.&nbsp;
Hope this is helpful!&nbsp;
Kevin&nbsp;

peter_bevington · Answer

Thanks, they do provide exactly that, but it cannot be imported into the F5, it has to be a .pem file. The real issue is that it's a reissue as opposed to a renewal. Effectively a brand new certificate and key which cannot be imported in to an existing defined certificate used by an SSL profile.

peter_bevington · Answer

I raised a ticket with F5 support to verify, their response:&nbsp;
F5: You can import the new certificate and key as new SSL objects, and then edit the appropriate SSL profiles to use the new certificate/key and chain.&nbsp;
I Asked: but what if that cert is used in many ssl profiles?&nbsp;
F5: Unfortunately, you will need to identify and update all those SSL profiles. I'd also recommend consolidating those profiles (where possible) to reduce the number of unique ssl profiles that use the same key/certificate/chain.&nbsp;
We have no mechanism to set the key and certificate simultaneously apart from creating a new SSL key and certificate from the PEM file.
Attempting to update either the key or the certificate will cause a validation failure and prevent the operation from completing.
As you note, replacing a certificate generated from the same key is a seamless operation which does not require that SSL profiles have to be updated.&nbsp;
I'm sorry I do not have any better approach for you to try&nbsp;

kevin_k_51432 · Answer

Hi Peter,
That all seems correct to me unfortunately. If you need help identifying, perhaps use TMSH?
tmsh list ltm profile client-ssl all | grep -i 'profile\|.crt'

So for certificate named default.crt:
tmsh list ltm profile client-ssl all | grep -i 'profile\|default.crt'

kevin_k_51432 · Answer

Hi Peter,&nbsp;
I hope this helps with importing the pkcs12, let us know!&nbsp;
https://support.f5.com/csp/article/K146205&nbsp;
Thanks,&nbsp;
Kevin&nbsp;

Forum Discussion

SSL Certs Renew vs. ReIssue (replace)

6 Replies

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

ADFS Proxy Replacement on F5 BIG-IP

string first replacement procedure for ID999881

Use Kubernetes Cert-Manager to Maintain Let's Encrypt Certificates

SSL-Cert

F5 GTM GSLB replacement