How do I replace an SSL certificate for a Reverse SSL Proxy without downtime?


<< Back to Knowledge Search

Solution

Overview

Your proxy is set up as a Reverse SSL proxy and your certificate is about to expire. Since certificates can't be extended, you have a new certificate but you can't afford any downtime while switching certificates.

Normally you would have to remove the keyring from the Reverse SSL Proxy service, then delete the certificate and import the new one. However this causes downtime and you want to avoid this.

The way to get around that is to create a new keyring, import the private key of the old keyring, import the new certificate and finally switch the keyring that is used in the Reverse SSL Proxy service.

Step-by-step:

1) Make sure that the keyring you are currently using has the private key "Shown" (Configuration -> SSL -> Keyrings). If this is showing as "Hidden" you can not use these instructions.

2) Export the private key for that keyring. In order to get the private key, you have to connect to the proxy command-line and type the following: 

enable

conf t

ssl

view keypair unencrypted <keyring-name>

This will output the private key. Copy that into the clipboard including the lines containing BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY.

3) Back in the GUI, create a new keyring, give it a name, choose "Show key pair", select "Import existing private key" and click "Paste from clipboard". If the private key has a password, you can enter that as well, otherwise untick the password tickbox.

User-added image

 

4) Click OK and Apply to finish creation of the keyring.

5) Select the new keyring and click Edit.

6) Import the new certificate into the new keyring:

User-added image

 

Click OK. If you also wish to import an old CSR, you can do that as well. Finally click "Close" and "Apply".

7) In your Reverse SSL Proxy service settings, now choose the new keyring.

User-added image

 

Click "Apply" and the new keyring (and hence the new certificate) will be active immediately.

Cause
Resolution
Workaround
Additional Information
Bug Number
InQuira Doc IdFAQ2308
Attachment

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      10/06/2014
Last Published      10/06/2014
Article Audience
Product      ProxySG
Topic      Configuration / WUI / CLI, Installation / Configuration, SSL / HTTPS
Article Number      000010605
Summary     
Was this helpful?
Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat