Topic
  • 9 replies
  • Latest Post - ‏2013-03-07T03:54:10Z by SystemAdmin
Bankrupt
Bankrupt
39 Posts

Pinned topic SSL Proxy Certficate Expiring

‏2013-03-06T17:30:39Z |
The cert on my SSL Proxy Crypto profile on my Port 443 FSH is expiring and I need to change it. Is there any solution to have a smooth transition from the OLD to NEW Certs (The signing-chain between the OLD and the NEW certs are complete different). I have too many consumers calling this Proxy and asking everyone to change at the same time is very hard. Please suggest.
Updated on 2013-03-07T03:54:10Z at 2013-03-07T03:54:10Z by SystemAdmin
  • GKReddy
    GKReddy
    136 Posts

    Re: SSL Proxy Certficate Expiring

    ‏2013-03-06T18:30:53Z  
    One solution that I have (might not be the best solution), is to create a new object with the new cert and add that to the proxy profile. Eventually, you can pull the old cert object from the list or delete it from the domain. Hope this helps.

    • GK
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: SSL Proxy Certficate Expiring

    ‏2013-03-06T18:34:07Z  
    > Bankrupt wrote:
    > The cert on my SSL Proxy Crypto profile on my Port 443 FSH is expiring and I need to change it. Is there any solution to have a smooth transition from the OLD to NEW Certs (The signing-chain between the OLD and the NEW certs are complete different). I have too many consumers calling this Proxy and asking everyone to change at the same time is very hard. Please suggest.

    Since many application are using the about get expired cert and its issued your own CA ( Assuming they are using the same and expiration date remain same which should be the case you have to overwrite the exiting cert with new cert and than you have to restart the domain to make sure that old cache is removed.

    And I am same thing have to done from different application team for replacing of old cert with new one.

    Hope this helps,

    Kumar
  • Bankrupt
    Bankrupt
    39 Posts

    Re: SSL Proxy Certficate Expiring

    ‏2013-03-06T19:17:04Z  
    • GKReddy
    • ‏2013-03-06T18:30:53Z
    One solution that I have (might not be the best solution), is to create a new object with the new cert and add that to the proxy profile. Eventually, you can pull the old cert object from the list or delete it from the domain. Hope this helps.

    • GK
    GK -- Your suggestion will not work as you can have only one crypto profile for the SSL Proxy Profile. So I cannot add the newly created one without removing the old one and that is the problem.
  • Bankrupt
    Bankrupt
    39 Posts

    Re: SSL Proxy Certficate Expiring

    ‏2013-03-06T19:22:54Z  
    > Bankrupt wrote:
    > The cert on my SSL Proxy Crypto profile on my Port 443 FSH is expiring and I need to change it. Is there any solution to have a smooth transition from the OLD to NEW Certs (The signing-chain between the OLD and the NEW certs are complete different). I have too many consumers calling this Proxy and asking everyone to change at the same time is very hard. Please suggest.

    Since many application are using the about get expired cert and its issued your own CA ( Assuming they are using the same and expiration date remain same which should be the case you have to overwrite the exiting cert with new cert and than you have to restart the domain to make sure that old cache is removed.

    And I am same thing have to done from different application team for replacing of old cert with new one.

    Hope this helps,

    Kumar
    Kumar -- The Certs dates overlap a little bit and during that overlap(approx 2 months), I want the consumers to change. So in that period , I want both the certs to exists. Since I can have only one Cert exists in my SSL Profile at any moment, its become painful as everyone has to change at the same time.
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: SSL Proxy Certficate Expiring

    ‏2013-03-06T19:40:43Z  
    • Bankrupt
    • ‏2013-03-06T19:22:54Z
    Kumar -- The Certs dates overlap a little bit and during that overlap(approx 2 months), I want the consumers to change. So in that period , I want both the certs to exists. Since I can have only one Cert exists in my SSL Profile at any moment, its become painful as everyone has to change at the same time.
    "Kumar -- The Certs dates overlap a little bit and during that overlap(approx 2 months), I want the consumers to change. So in that period , I want both the certs to exists. Since I can have only one Cert exists in my SSL Profile at any moment, its become painful as everyone has to change at the same time"
    After the testing is completed for the new cert in the preprod env it will be wise to perform the change atleast 1 month prior to cert expiration so that if any problem happens atleast you can have backout plan. Make sure that do have the copy of old cert.

    I understand this little painful process, but that is only way you can do cert deployment all arcoss different application including in the datapower.

    Overwrite the cert in cert:/// folder restart the domain and let other application also make there change ( I know it is painful, but the application owner/teams have to the checkout). If everything works than its all good other wise revert back to old changes till you find the root cause of the problem
    Regards,
    Kumar
  • Bankrupt
    Bankrupt
    39 Posts

    Re: SSL Proxy Certficate Expiring

    ‏2013-03-06T19:58:49Z  
    "Kumar -- The Certs dates overlap a little bit and during that overlap(approx 2 months), I want the consumers to change. So in that period , I want both the certs to exists. Since I can have only one Cert exists in my SSL Profile at any moment, its become painful as everyone has to change at the same time"
    After the testing is completed for the new cert in the preprod env it will be wise to perform the change atleast 1 month prior to cert expiration so that if any problem happens atleast you can have backout plan. Make sure that do have the copy of old cert.

    I understand this little painful process, but that is only way you can do cert deployment all arcoss different application including in the datapower.

    Overwrite the cert in cert:/// folder restart the domain and let other application also make there change ( I know it is painful, but the application owner/teams have to the checkout). If everything works than its all good other wise revert back to old changes till you find the root cause of the problem
    Regards,
    Kumar
    << "Kumar -- The Certs dates overlap a little bit and during that overlap(approx 2 months), I want the consumers to change. So in that period , I want both the certs to exists. Since I can have only one Cert exists in my SSL Profile at any moment, its become painful as everyone has to change at the same time"
    After the testing is completed for the new cert in the preprod env it will be wise to perform the change atleast 1 month prior to cert expiration so that if any problem happens atleast you can have backout plan. Make sure that do have the copy of old cert.

    I understand this little painful process, but that is only way you can do cert deployment all arcoss different application including in the datapower.

    Overwrite the cert in cert:/// folder restart the domain and let other application also make there change ( I know it is painful, but the application owner/teams have to the checkout). If everything works than its all good other wise revert back to old changes till you find the root cause of the problem
    Regards,
    Kumar
    >>
    Kumar -- I understand the plan and thats what we have in mind. But to make all the applications (over 100 applications spread around the world) change at the same time is hard and problems are bound to happen and I want a way to avoid it. So I was looking for a solution for the SSL Proxy to do successful SSL handshakes with both new and old certs for some period.
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: SSL Proxy Certficate Expiring

    ‏2013-03-06T20:06:59Z  
    • Bankrupt
    • ‏2013-03-06T19:58:49Z
    << "Kumar -- The Certs dates overlap a little bit and during that overlap(approx 2 months), I want the consumers to change. So in that period , I want both the certs to exists. Since I can have only one Cert exists in my SSL Profile at any moment, its become painful as everyone has to change at the same time"
    After the testing is completed for the new cert in the preprod env it will be wise to perform the change atleast 1 month prior to cert expiration so that if any problem happens atleast you can have backout plan. Make sure that do have the copy of old cert.

    I understand this little painful process, but that is only way you can do cert deployment all arcoss different application including in the datapower.

    Overwrite the cert in cert:/// folder restart the domain and let other application also make there change ( I know it is painful, but the application owner/teams have to the checkout). If everything works than its all good other wise revert back to old changes till you find the root cause of the problem
    Regards,
    Kumar
    >>
    Kumar -- I understand the plan and thats what we have in mind. But to make all the applications (over 100 applications spread around the world) change at the same time is hard and problems are bound to happen and I want a way to avoid it. So I was looking for a solution for the SSL Proxy to do successful SSL handshakes with both new and old certs for some period.
    "Kumar -- I understand the plan and thats what we have in mind. But to make all the applications (over 100 applications spread around the world) change at the same time is hard and problems are bound to happen and I want a way to avoid it. So I was looking for a solution for the SSL Proxy to do successful SSL handshakes with both new and old certs for some period."

    What you are asking completly different. You basically want application use both new and old cert and having the same backend?
    If you want that than you have to do codes changes and that is also will be hard without doing the prior testing.

    Regards,
    Kumar
  • GKReddy
    GKReddy
    136 Posts

    Re: SSL Proxy Certficate Expiring

    ‏2013-03-06T20:19:08Z  
    • Bankrupt
    • ‏2013-03-06T19:17:04Z
    GK -- Your suggestion will not work as you can have only one crypto profile for the SSL Proxy Profile. So I cannot add the newly created one without removing the old one and that is the problem.
    I have suggested you to add new certificate object NOT crypto profile object.
    • GK
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: SSL Proxy Certficate Expiring

    ‏2013-03-07T03:54:10Z  
    • Bankrupt
    • ‏2013-03-06T19:58:49Z
    << "Kumar -- The Certs dates overlap a little bit and during that overlap(approx 2 months), I want the consumers to change. So in that period , I want both the certs to exists. Since I can have only one Cert exists in my SSL Profile at any moment, its become painful as everyone has to change at the same time"
    After the testing is completed for the new cert in the preprod env it will be wise to perform the change atleast 1 month prior to cert expiration so that if any problem happens atleast you can have backout plan. Make sure that do have the copy of old cert.

    I understand this little painful process, but that is only way you can do cert deployment all arcoss different application including in the datapower.

    Overwrite the cert in cert:/// folder restart the domain and let other application also make there change ( I know it is painful, but the application owner/teams have to the checkout). If everything works than its all good other wise revert back to old changes till you find the root cause of the problem
    Regards,
    Kumar
    >>
    Kumar -- I understand the plan and thats what we have in mind. But to make all the applications (over 100 applications spread around the world) change at the same time is hard and problems are bound to happen and I want a way to avoid it. So I was looking for a solution for the SSL Proxy to do successful SSL handshakes with both new and old certs for some period.
    Your is a reverse SSL, replacing a key/cert pair that has different signing chain is hard if your SSL client doesn't have the new signer's certificate in their trust store. Please check if they have the new CA in their trust store if so then you can define new Identification Profile and attach it to the Crypro profile of the existing SSL proxy profile. As you know the private in the Val Cred is used in the SSL handshake and your service can have only have one key cert pair at any given point of time (as per PKI framework). You can't use both old and new key/cert pair at the same time you would need big-gang approach