Application Delivery (ADX)

Reply
Contributor
Posts: 22
Registered: ‎03-30-2011

Cert expiring question about SSL keys

[ Edited ]

I have a VIP that the cert is expiring for.  OPS team renewed the cert and sent me the CSR.  I imported it as a PEM and setup a test VIP to see if it works.  However there are keys associated with the production VIP/CERT and I am not completely clear on where those keys are generated and what is done with them.  

 

To test the new cert I created an SSL key pair on the ADX for this new VIP and applied to the ssl profile.  However when I attempt to path out to the VIP via URL I get this message "Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH."  I can see via the GUI th ecert in question shows key "unknown" but I have the key associated to the SSL profile in question.  

 

Is there a document some where that walks someone through renewing a cert or installing new one?  I just want to see the steps involved and how to configure the correct ssl keys.  

Contributor
Posts: 74
Registered: ‎08-18-2011

Re: Cert expiring question about SSL keys

Hi,

Can you provide more details about your setup like firmware version, SSL proxy or terminate and if possible ssl profile configuration that you are using (on both sides in case of proxy).

 

-Mohit Sahni
Contributor
Posts: 22
Registered: ‎03-30-2011

Re: Cert expiring question about SSL keys

[ Edited ]

firmware: 12.4.00qT401

 

This is the test scenario which is identical to the prod one except for the cert/keys and VIP IP.    Can you tell me how, where and what to do with the ssl keys?  

 

server virtual server01-test 10.0.0.199
port ssl sticky
port ssl ssl-terminate server01
port ssl csw-policy "server01"
port ssl csw
port ssl keep-alive
port 8080 sticky
bind ssl server02 8000 server03 8000
bind 8080 server02 8080 server03 8080

ssl profile server01
keypair-file server01-key-2048
certificate-file server01
cipher-suite all-cipher-suites
enable-certificate-chaining
session-cache off

 

 

Contributor
Posts: 74
Registered: ‎08-18-2011

Re: Cert expiring question about SSL keys

You can upload your new certificate and key on ADX via GUI or using scp command. Once you have uploaded them you can see them via command "show ssl certificate *' and "show ssl key *" and you need to replace the certificate and keypair file names with the new certificate. 

 

Your current configuration looks ok and it should work, unbind the ssl profile from the VIP change the keypair and certificate files and then try to run traffic. Also check the port bind status using command "show server bind" before sending the traffic to the test VIP. 

 

Here is the link to the ADX Webgui user guide chapter 8 has details on how to upload and ssl cert and keys:

http://www.brocade.com/downloads/documents/product_manuals/B_ServerIron/ServerIron_12400_GUI.pdf

 

PS: Use a different name for SSL cert and key files otherwise your new cert and key will be appended to existing key and cert. 

 

 

-Mohit Sahni
New Contributor
Posts: 4
Registered: ‎10-21-2011

Re: Cert expiring question about SSL keys

[ Edited ]

Hi Mohit - running version 12.5.01b here. Are you saying just run the command "no ssl profile PROFILENAME"  on the VIP and write mem? We have been unbinding SSL on the VIP first for our certificate upgrades and having issues with the ports haningin in AWU state until manually cleared. Would be much easier to just "no profile" and add the new profile. Any experience with this?

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.