Forum Discussion

Randy_Banks_470's avatar
Randy_Banks_470
Icon for Nimbostratus rankNimbostratus
Jan 15, 2016

Replacing/updating multiple cert/key pairs

I have multiple Cert/key (39) pairs that need to be replaced with updated pairs. Is there a simple way to package and replace these certs without having to first disassociate them from the profiles and deleting the old pairs?

 

  • What I tend to do is to create a tgz with the same folder structure as when exporting certs via the archive function and put all the new certs and keys in there with new names based on their subject-expiration year. i.e. one folder named ssl.crt and one named ssl.key. I then import that.

    You could also upload them via sftp and import them with

    tmsh install crypto key  from-file-location 
    and
    tmsh install crypto cert  from-file-location 
    .

    Then from there I just script the replacing of the cert, key, and chain(if necessary) of the client ssl profile

    tmsh modify ltm profile client-ssl  cert-key-chain replace-all-with { {cert  key  chain }}

    You could also easily do this via iControl as well is you wanted to. The reason you have to do this is you can not replace a key that is currently in use in a profile. You can replace a cert if it is generated from the existing key as this would be considered a renewal.