09-24-2014 03:20 AM
I have CSS11501S-C-K9 with 8.10.1.06 and certificate is expires within a week. What is the procedure to update new certificate and is there any downtime required to update certificate?
Solved! Go to Solution.
09-24-2014 05:06 AM
Hi,
To renew the certificates you need to generate the CSR and go to the CA, give it that CSR and get the certificate. For details kindly visit the below link:
http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/data_center_app_services/css11500series/v8-10/configuration/ssl/guide/sslgd/certkeys.html
Visit section:
Using an RSA Key to Generate a Certificate Signing Request
The link also lists procedure of importing the certificate and how to associate it with SSL-Proxy.
Also, you should do this in downtime since you won't be able to modify active SSL-List.
Let me know if you have any questions.
Regards,
Kanwal
Note: Please mark answers if they are helpful.
09-24-2014 12:40 PM
Hi Arun,
You can use that RSA key pair to generate the CSR request and then send this request to CA for getting a certificate which you would import. And yes you can import the certificate in same name. But you would need to delete the old one. Have a look at this step by step installation:
http://www.cisco.com/c/en/us/support/docs/application-networking-services/css-11500-series-content-services-switches/47781-req-serv-cert.html
Again, in your case you would need to suspend and activate the SSL proxy list.
You can also look at the expired intermediate cert replacement steps and they are good for normal cert too.
http://www.cisco.com/c/en/us/support/docs/application-networking-services/css-11500-series-content-services-switches/47780-expired-verisign.html
Regards,
Kanwal
Note: Please mark answers if they are helpful.
09-24-2014 05:06 AM
Hi,
To renew the certificates you need to generate the CSR and go to the CA, give it that CSR and get the certificate. For details kindly visit the below link:
http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/data_center_app_services/css11500series/v8-10/configuration/ssl/guide/sslgd/certkeys.html
Visit section:
Using an RSA Key to Generate a Certificate Signing Request
The link also lists procedure of importing the certificate and how to associate it with SSL-Proxy.
Also, you should do this in downtime since you won't be able to modify active SSL-List.
Let me know if you have any questions.
Regards,
Kanwal
Note: Please mark answers if they are helpful.
09-24-2014 12:28 PM
Thanks Kanwal.
I already have rsa key whether I have to regenerate RSA once again or only certificate has to import.
Also is it allow to import certificate in the same name which is expiring now>?
Regards,
Arun V S
09-24-2014 12:40 PM
Hi Arun,
You can use that RSA key pair to generate the CSR request and then send this request to CA for getting a certificate which you would import. And yes you can import the certificate in same name. But you would need to delete the old one. Have a look at this step by step installation:
http://www.cisco.com/c/en/us/support/docs/application-networking-services/css-11500-series-content-services-switches/47781-req-serv-cert.html
Again, in your case you would need to suspend and activate the SSL proxy list.
You can also look at the expired intermediate cert replacement steps and they are good for normal cert too.
http://www.cisco.com/c/en/us/support/docs/application-networking-services/css-11500-series-content-services-switches/47780-expired-verisign.html
Regards,
Kanwal
Note: Please mark answers if they are helpful.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: