網頁

2009年7月29日 星期三

SOL7754: Renewing self-signed device certificates

SOL7754: Renewing self-signed device certificates


Updated: 6/24/09 11:07 AM
Solution

Note: The following Solution covers the BIG-IP LTM and BIG-IP ASM. For information about updating SSL device certificates on a BIG-IP GTM or BIG-IP Link Controller refer to SOL6353: Updating an SSL certificate on a BIG-IP GTM or BIG-IP Link Controller system.

Note: The SSL certificate in this Solution is the certificate used by the Configuration utility and is not associated with any certificates used by either the Client or the Server SSL profile.

By default, BIG-IP devices use self-signed SSL certificates for access to the Configuration utility. The certificates are valid for one year; they will indicate their expiration when you access the Configuration utility with a web browser.

If the certificate expires, it will not have any adverse affects, as you can still access the Configuration utility. There are instances in which the expiration of the certificate has adverse effects, such as when BIG-IP LTM and BIG-IP GTM units are configured to communicate with each other. In this case, the BIG-IP GTM is no longer able to communicate with the BIG-IP LTM that contains the expired self-signed certificate. For information regarding the expiration of the certificate affecting BIG-IP LTM and BIG-IP GTM communication, refer to SOL7466: Expiration of a Configuration utility SSL certificate on a BIG-IP LTM system causes the BIG-IP LTM to be marked down on a BIG-IP GTM system.

The Configuration utility can use both third party certificates as well as self-signed certificates. You can update self-signed certificates to increase the expiration period by following the version-specific procedures.

Note: For information about third party certificates used within a BIG-IP LTM and BIG-IP GTM version 9.3 or later environment, refer to Chapter 11 of the Global Traffic Manager and Link Controller: Implementations manual. For information regarding third party certificates used within BIG-IP LTM versions 9.0 through 9.2.5 and BIG-IP GTM version 9.3 or later, refer to SOL7742: Configuring the BIG-IP LTM to use third party SSL certificates in a BIG-IP GTM environment.

Renewing the BIG-IP LTM or BIG-IP ASM certificate for another year

To renew the BIG-IP LTM or BIG-IP ASM certificate for another year, perform one of the following version-specific procedures:

Important: If any information is updated other than the validity date, you must re-import the certificate into the BIG-IP GTM. Otherwise, the certificate is considered invalid because it does not match the certificate on the BIG-IP GTM.

Versions 9.2 through 9.4.7

  1. Log in to the BIG-IP LTM or BIG-IP ASM Configuration utility.
  2. Select System.
  3. Select Device Certificates.
  4. Select Renew.
  5. Change Issuer from Certificate Authority to Self.

    Note: As an optional step, you may choose to update any information at this point.

  6. Click Finished.

Versions 9.0 through 9.1.3

  1. Log in to the BIG-IP LTM or BIG-IP ASM Configuration utility.
  2. Select System.
  3. Select Platform.
  4. Select Web Server Certificate.
  5. Select Renew.
  6. Change Issuer from Certificate Authority to Self.

    Note: As an optional step, you may choose to update any information at this point.

  7. Click Finished.

Renewing the BIG-IP LTM or BIG-IP ASM certificate for longer than one year

Note: Beginning in BIG-IP version 10.0.0, you can adjust self-signed device certificates validity within the Configuration utility. For more information, refer to SOL10233: Change in Behavior: Self-signed device certificates lifetime value can be configured within the Configuration utility.

To renew the BIG-IP LTM or BIG-IP ASM certificate for more than one year, perform the following procedure:

  1. Log in to the command line.
  2. Change directories to the /config/httpd/conf/ssl.crt directory by typing the following command:

    cd /config/httpd/conf/ssl.crt

  3. Convert the server.crt certificate to a certificate signing request CSR by typing the following command:

    openssl x509 -x509toreq -in server.crt -out server.csr -signkey /config/httpd/conf/ssl.key/server.key

  4. Using the new CSR, specify the number of days for which the certificate should be valid by typing the following command:

    openssl x509 -req -in server.csr -signkey /config/httpd/conf/ssl.key/server.key -days <# of days> -out server.crt

    Note: Replace <# of days> with the number of days in year increments for which you want the certificate to be valid.

    For example, if you want to make the certificate valid for one year, you would type the following command:

    openssl x509 -req -in server.csr -signkey /config/httpd/conf/ssl.key/server.key -days 365 -out server.crt

    Additionally, you can use the following quick reference table to select the number of years for which you want the certificate to be valid:

    Year(s) Number of Days
    1 365
    2 730
    5 1825
    10 3650

    Note: The number of days in the table do not include additional days for a leap year.
  5. Restart the web server daemon by typing the following command:

    bigstart restart httpd

沒有留言:

張貼留言

追蹤者