Forum Discussion

jwckauman's avatar
jwckauman
Icon for Altostratus rankAltostratus
Sep 25, 2022

Renewed & Overwritten certificate not being used by some clients

We renewed our primary SSL Certificate for the bulk of our SSL Profiles and overwrote the existing cert (which was expiring).  In our testing, we see most of our internal clients using the new certificate, but several external clients are still using the old, expiring certificate.  Why wouldn't these clients pick up the new renewed certificate? Why do some clients see the new cert and others do not?  How do we force the clients still using the old certificate to switch to the new one?  Ideally we do not want to impact existing sessions (do not want to "kick anyone out", ).  Thank you for any suggestions.  

  • Hello, existing connections continue to use the old SSL certificate until the connections complete or are renegotiated or until the Traffic Management Microkernel (TMM) is restarted.

    I see you also mentioned all "external" clients seem to have this problem. Is there another device that external clients might meet before F5 that also inspects SSL traffic? Something like a third party WAF.. in that case what you might be seeing is third party cert which might not have been updated. This would be pretty easy to confirm with a traffic dump, if you see F5 presents the correct certificate in SSL handshake it means the problem is somewhere else. 

    • jwckauman's avatar
      jwckauman
      Icon for Altostratus rankAltostratus

      Thank you! Do u happen to know what causes the connections to complete or renegotiate? And what effect does restarting the Traffic Management Microkernel (TMM) have on existing connections?

      I don't know for sure if it's all external connections. I know some external connections use the new cert on some of our virtual servers but not others. It's a mixed bag. 

      • CA_Valli's avatar
        CA_Valli
        Icon for MVP rankMVP

        Connections complete when they either time out or get TCP-FIN packets. This means that when you renew the certifiacte, there's no impact on existing connections (don't need to renegotiate) while all new connections should be able to see new cert already. 

        Restarting TMM causes traffic disruption and should be done in a maintenance window. 

        If the problem is on some VS's and not others you might want to take a look at clientSSL profile as well, to confirm that they're correctly referencing the new crt/key pair (which they should if you have overwritten them as you said) and the correct intermediate/root certificates in the trust chain.