Today’s Issue:
The1024-bit SSL Certificates in front of my IIS website have expired, and I need to renew them, but my provider now issues exclusively 2048-bit SSL Certificates
Where We Are:
Usually, you’d simply hit the Renew button in the Management UI (Local Traffic >> SSL Certificates >> Certificate of Choice), but that only gets me another 1024-bit request
How We Got Here:
Way back when, I had a helluva time trying to figure out how to get from my IIS-requested SSL certificates, to a Certificate & Key that could be consumed by my BigIP.
The good news is, the process for splitting up your PFX into CRT and KEY files is the same as it ever was, but there were a few more steps to get to that point… in short:
- Create a new 2048-bit cert request using the IIS MMC on my webserver
- Get the response back from my Certificate Issuer & install on my webserver using the IIS MMC (Complete Certificate Request)
- Then go through the process outlined previously
- Install the cert & key files on F5
- Map the WEBSERVER_clientssl_profile on the BigIP (Main > Local Traffic > Profiles > SSL > Client > WEBSERVER_clientssl_profile) to use the new cert & key
And we’re done. Clear your cache, browse to the website, and validate the site Certificate, and you should now see the new certificate.
Hope that helps.
Hi, really thanks for this info. Can I ask you about the directory of SSL certificate?
After I import my cert and key via web GUI, I want to see my key and cert from the tmsh.
I go to the /config/ssl/ssl.crt, but I didn’t find the cert that I import before.
I use BIG IP LTM&WA v11.
Need help, if you can share about the directory location of SSL cert.
Thank you