01-19-2015 11:45 AM - edited 01-19-2015 11:48 AM
I have a VIP that the cert is expiring for. OPS team renewed the cert and sent me the CSR. I imported it as a PEM and setup a test VIP to see if it works. However there are keys associated with the production VIP/CERT and I am not completely clear on where those keys are generated and what is done with them.
To test the new cert I created an SSL key pair on the ADX for this new VIP and applied to the ssl profile. However when I attempt to path out to the VIP via URL I get this message "Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH." I can see via the GUI th ecert in question shows key "unknown" but I have the key associated to the SSL profile in question.
Is there a document some where that walks someone through renewing a cert or installing new one? I just want to see the steps involved and how to configure the correct ssl keys.
01-19-2015 11:58 AM
Can you provide more details about your setup like firmware version, SSL proxy or terminate and if possible ssl profile configuration that you are using (on both sides in case of proxy).
01-19-2015 12:04 PM - edited 01-19-2015 12:04 PM
This is the test scenario which is identical to the prod one except for the cert/keys and VIP IP. Can you tell me how, where and what to do with the ssl keys?
server virtual server01-test 10.0.0.199
port ssl sticky
port ssl ssl-terminate server01
port ssl csw-policy "server01"
port ssl csw
port ssl keep-alive
port 8080 sticky
bind ssl server02 8000 server03 8000
bind 8080 server02 8080 server03 8080
ssl profile server01
01-19-2015 01:29 PM
You can upload your new certificate and key on ADX via GUI or using scp command. Once you have uploaded them you can see them via command "show ssl certificate *' and "show ssl key *" and you need to replace the certificate and keypair file names with the new certificate.
Your current configuration looks ok and it should work, unbind the ssl profile from the VIP change the keypair and certificate files and then try to run traffic. Also check the port bind status using command "show server bind" before sending the traffic to the test VIP.
Here is the link to the ADX Webgui user guide chapter 8 has details on how to upload and ssl cert and keys:
PS: Use a different name for SSL cert and key files otherwise your new cert and key will be appended to existing key and cert.
05-05-2016 09:35 AM - edited 05-05-2016 09:35 AM
Hi Mohit - running version 12.5.01b here. Are you saying just run the command "no ssl profile PROFILENAME" on the VIP and write mem? We have been unbinding SSL on the VIP first for our certificate upgrades and having issues with the ports haningin in AWU state until manually cleared. Would be much easier to just "no profile" and add the new profile. Any experience with this?