This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

SSL Decryption - Intermediate Cert renewal

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

SSL Decryption - Intermediate Cert renewal

brandonbushong
L1 Bithead

‎02-20-2020 10:22 AM

Hello, we are implementing Inbound SSL Decryption.   The plan is to import the keys from our F5 Load Balancer.    After a number of attempts and working with support, we found the only way for the import to work successfully is to import the bundle (CA / Intermediate / Certificate for the VIP).  

 

While that process works, it leaves us with the question of renewal.     

 

Our Intermediate certificate expires in May.     Can we simply a) renew this certificate, b) can we just import this renewed certificate from the F5, or c) will we have to import the bundle again for all  20+ VIPs when this cert is renewed in May?

 

 

0 Likes Likes
6 REPLIES 6

BPry
Cyber Elite
Cyber Elite

‎02-20-2020 06:25 PM

@brandonbushong,

When you are talking about importing the bundle, do you mean that you simply had to import all three certificates or that you needed to chain all certificates? If you simply had to import all three certificates, you would simply import the new intermediate certificate so that the firewall trusts the full chain. If this is a chained certificate, you would need to update the chain and import the chained certificate.  

0 Likes Likes

SutareMayur
Cyber Elite
Cyber Elite

‎02-20-2020 09:22 PM

@brandonbushong do you have same Client SSL profile on all 20 VIPs?

 

Because if certificate is renewed, you need to upload renewed certificate. If you have same Client ssl profile on all 20VIPs, you can simply replace expired certificate with new one and post updating it, it will get applied on all 20VIPs.

 

hope it helps!

 

Mayur

M
0 Likes Likes

brandonbushong
L1 Bithead
In response to SutareMayur

‎02-21-2020 08:13 AM

Thanks.  Have you completed this in Production?    I'd like to see or hear from someone who completed this and confirm the process works.

 

0 Likes Likes

SutareMayur
Cyber Elite
Cyber Elite
In response to brandonbushong

‎02-21-2020 08:40 AM

@brandonbushong I have done it on my LB. Let me know if you need any help.

 

Mayur

M
0 Likes Likes

brandonbushong
L1 Bithead
In response to SutareMayur

‎02-21-2020 10:35 AM

So you have completed this on the Palo and the F5?    

 

0 Likes Likes

SutareMayur
Cyber Elite
Cyber Elite
In response to brandonbushong

‎02-21-2020 07:06 PM

Yes i have done it on F5. You need to do configurations on F5 and Web server end too. No need to do anything on Paloalto.

Please refer below article.

 

https://support.f5.com/csp/article/K4816

 

hope it helps!

 

Mayur

M
0 Likes Likes
  • 3519 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks