SSL Decryption - Intermediate Cert renewal

Reply
Highlighted
L1 Bithead

SSL Decryption - Intermediate Cert renewal

Hello, we are implementing Inbound SSL Decryption.   The plan is to import the keys from our F5 Load Balancer.    After a number of attempts and working with support, we found the only way for the import to work successfully is to import the bundle (CA / Intermediate / Certificate for the VIP).  

 

While that process works, it leaves us with the question of renewal.     

 

Our Intermediate certificate expires in May.     Can we simply a) renew this certificate, b) can we just import this renewed certificate from the F5, or c) will we have to import the bundle again for all  20+ VIPs when this cert is renewed in May?

 

 

Highlighted
Cyber Elite

Re: SSL Decryption - Intermediate Cert renewal

@brandonbushong,

When you are talking about importing the bundle, do you mean that you simply had to import all three certificates or that you needed to chain all certificates? If you simply had to import all three certificates, you would simply import the new intermediate certificate so that the firewall trusts the full chain. If this is a chained certificate, you would need to update the chain and import the chained certificate.  

Highlighted
L5 Sessionator

Re: SSL Decryption - Intermediate Cert renewal

@brandonbushong do you have same Client SSL profile on all 20 VIPs?

 

Because if certificate is renewed, you need to upload renewed certificate. If you have same Client ssl profile on all 20VIPs, you can simply replace expired certificate with new one and post updating it, it will get applied on all 20VIPs.

 

hope it helps!

 

Mayur



Mayur Sutare
Highlighted
L1 Bithead

Re: SSL Decryption - Intermediate Cert renewal

Thanks.  Have you completed this in Production?    I'd like to see or hear from someone who completed this and confirm the process works.

 

Highlighted
L5 Sessionator

Re: SSL Decryption - Intermediate Cert renewal

@brandonbushong I have done it on my LB. Let me know if you need any help.

 

Mayur



Mayur Sutare
Highlighted
L1 Bithead

Re: SSL Decryption - Intermediate Cert renewal

So you have completed this on the Palo and the F5?    

 

Highlighted
L5 Sessionator

Re: SSL Decryption - Intermediate Cert renewal

Yes i have done it on F5. You need to do configurations on F5 and Web server end too. No need to do anything on Paloalto.

Please refer below article.

 

https://support.f5.com/csp/article/K4816

 

hope it helps!

 

Mayur



Mayur Sutare
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!