Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACE SSL - Modifying certs and keys

I'm having a problem updating the certs and keys I have in my ssl-proxy service.

My cert is about to expire and I've purchased a new cert. I've uploaded the new cert and key, but I still see the old cert when I go to the VIP with my browser. I thought that by deleting the proxy-service and re-adding I could get the ACE to recognize that it's got new certs but that didn't seem to work.

Is there a trick to make the ACE see the new certs? Does it cache the certs instead of reading them from flash? What's going on here.

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: ACE SSL - Modifying certs and keys

I changed my certs hot while the application was still running worked like a charm.

What i did was.

- import the new certificate into the crypto store (pkcs12)

- prepare a textfile with the necessary commands

no key old

key new

no cert old

cert new

- paste the commands into the running config.

I had several Customers and Application Admins test the App. while i was changing certs. They didn't even notice something happened. After approx. 60 seconds all new connections were using the new cert old connections were using the old cert. No trouble at all.

And yes the ACE caches the certs if i am not mistaken.

If you want to make sure that it works just create a test context or try it on a test farm first. That's what i did prior to changing the certs and the config on the production enviroment.

Hope it helps.

Roble

3 REPLIES
Bronze

Re: ACE SSL - Modifying certs and keys

I changed my certs hot while the application was still running worked like a charm.

What i did was.

- import the new certificate into the crypto store (pkcs12)

- prepare a textfile with the necessary commands

no key old

key new

no cert old

cert new

- paste the commands into the running config.

I had several Customers and Application Admins test the App. while i was changing certs. They didn't even notice something happened. After approx. 60 seconds all new connections were using the new cert old connections were using the old cert. No trouble at all.

And yes the ACE caches the certs if i am not mistaken.

If you want to make sure that it works just create a test context or try it on a test farm first. That's what i did prior to changing the certs and the config on the production enviroment.

Hope it helps.

Roble

New Member

Re: ACE SSL - Modifying certs and keys

Thanks.

I'm using the same filenames to try and keep my certs for all my site managable. Maybe using a different file name and doing the "no cert old" - "cert new" thing will make it recognize the new cert.

I'll give that a try.

Thanks again!

New Member

Re: ACE SSL - Modifying certs and keys

That did the trick. I think the new filename is key.

Thanks a bunch!

140
Views
0
Helpful
3
Replies
CreatePlease to create content