03-26-2008 04:45 PM
I'm having a problem updating the certs and keys I have in my ssl-proxy service.
My cert is about to expire and I've purchased a new cert. I've uploaded the new cert and key, but I still see the old cert when I go to the VIP with my browser. I thought that by deleting the proxy-service and re-adding I could get the ACE to recognize that it's got new certs but that didn't seem to work.
Is there a trick to make the ACE see the new certs? Does it cache the certs instead of reading them from flash? What's going on here.
Thanks!
Solved! Go to Solution.
03-26-2008 04:58 PM
I changed my certs hot while the application was still running worked like a charm.
What i did was.
- import the new certificate into the crypto store (pkcs12)
- prepare a textfile with the necessary commands
no key old
key new
no cert old
cert new
- paste the commands into the running config.
I had several Customers and Application Admins test the App. while i was changing certs. They didn't even notice something happened. After approx. 60 seconds all new connections were using the new cert old connections were using the old cert. No trouble at all.
And yes the ACE caches the certs if i am not mistaken.
If you want to make sure that it works just create a test context or try it on a test farm first. That's what i did prior to changing the certs and the config on the production enviroment.
Hope it helps.
Roble
03-26-2008 04:58 PM
I changed my certs hot while the application was still running worked like a charm.
What i did was.
- import the new certificate into the crypto store (pkcs12)
- prepare a textfile with the necessary commands
no key old
key new
no cert old
cert new
- paste the commands into the running config.
I had several Customers and Application Admins test the App. while i was changing certs. They didn't even notice something happened. After approx. 60 seconds all new connections were using the new cert old connections were using the old cert. No trouble at all.
And yes the ACE caches the certs if i am not mistaken.
If you want to make sure that it works just create a test context or try it on a test farm first. That's what i did prior to changing the certs and the config on the production enviroment.
Hope it helps.
Roble
03-26-2008 05:08 PM
Thanks.
I'm using the same filenames to try and keep my certs for all my site managable. Maybe using a different file name and doing the "no cert old" - "cert new" thing will make it recognize the new cert.
I'll give that a try.
Thanks again!
03-26-2008 05:16 PM
That did the trick. I think the new filename is key.
Thanks a bunch!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: