I'm having a problem updating the certs and keys I have in my ssl-proxy service.
My cert is about to expire and I've purchased a new cert. I've uploaded the new cert and key, but I still see the old cert when I go to the VIP with my browser. I thought that by deleting the proxy-service and re-adding I could get the ACE to recognize that it's got new certs but that didn't seem to work.
Is there a trick to make the ACE see the new certs? Does it cache the certs instead of reading them from flash? What's going on here.
I changed my certs hot while the application was still running worked like a charm.
What i did was.
- import the new certificate into the crypto store (pkcs12)
- prepare a textfile with the necessary commands
no key old
no cert old
- paste the commands into the running config.
I had several Customers and Application Admins test the App. while i was changing certs. They didn't even notice something happened. After approx. 60 seconds all new connections were using the new cert old connections were using the old cert. No trouble at all.
And yes the ACE caches the certs if i am not mistaken.
If you want to make sure that it works just create a test context or try it on a test farm first. That's what i did prior to changing the certs and the config on the production enviroment.
Hope it helps.