Open HTTPS connections during SSL cert overwrite

Question

An CA SSL cert &amp; key were imported for use in SSL offloading and are working.  The CA cert is nearing the expiration data.  The plan is to import and overwrite the old cert and key with a new cert and key.  Question is what happens to open connections when the cert is overwritten?  Do they complete normally or are they dropped/terminated?  I am trying to determine if an outage will occur requiring a maintenance window.  Or, hopefully, this can be done during low traffic.  Would replacing only the cert and leaving the key change the behavior?&nbsp;

nitass · Answer

if key is changed when renewing, i think you have to create new certificate and key names and then assign the new certificate and key to clientssl profile. the change could affect only new connection. the existing connection should use the old configuration.&nbsp;
sol13253: Configuration changes to local traffic objects do not affect existing connections&nbsp;
http://support.f5.com/kb/en-us/solutions/public/13000/200/sol13253.html&nbsp;

nitass_89166 · Answer

if key is changed when renewing, i think you have to create new certificate and key names and then assign the new certificate and key to clientssl profile. the change could affect only new connection. the existing connection should use the old configuration.&nbsp;
sol13253: Configuration changes to local traffic objects do not affect existing connections&nbsp;
http://support.f5.com/kb/en-us/solutions/public/13000/200/sol13253.html&nbsp;

omniplex · Answer

I've also found that depending on the version that if the cert and key are already loaded into memory, you need to do something to cause the files to be re-read. Either changing the profile to something else and then back or reloading the configuration.
Depending on your setup, you could update the standby device if this is in an HA pair, and fail over to that device and then update the previous device.

omniplex · Answer

I've also found that depending on the version that if the cert and key are already loaded into memory, you need to do something to cause the files to be re-read. Either changing the profile to something else and then back or reloading the configuration.
Depending on your setup, you could update the standby device if this is in an HA pair, and fail over to that device and then update the previous device.

nitass · Answer

I've also found that depending on the version that if the cert and key are already loaded into memory, you need to do something to cause the files to be re-read.&nbsp;

thanks for comment. is this what you are talking about?&nbsp;
sol10561: The BIG-IP system may not use a renewed SSL certificate&nbsp;
https://support.f5.com/kb/en-us/solutions/public/10000/500/sol10561.html?sr=36885538&nbsp;

Forum Discussion

Open HTTPS connections during SSL cert overwrite

6 Replies

Recent Discussions

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Related Content

Session/Connection Management during a Failover event in a HA Peer

Phishing During a Pandemic

Ansible Error: An exception occurred during task execution

Prevent BIG-IP Edge Client VPN Driver to roll back (or forward) during PPP/RAS errors

Troubeshooting website connection