Foundry ServerIron SSL Certificate Management

Foundry ServerIron SSL Certificate Management

After generating CSR on Apache server and obtaining certificate from Verisign use the following procedure to upload certificates and keys to the Foundry and update the configuration.

Make a note of the existing certificates and keys on the Foundry as follows:

logon to each load balancer with putty and perform a sh config

192.168.5.60 and 192.168.5.80 are prod devices
192.168.7.60 and 192.168.7.80 are test devices
en
sh config

You just need to look at the ssl profile section (see items in bold)

ssl profile www-sysxperts-org2
 keypair-file sysxperts-key2
 certificate-file sysxpertsnew
 cipher-suite all-cipher-suites
 disable-ssl-v2
 session-cache off
 enable-certificate-chaining
ssl profile pvalentino
 keypair-file pvalentino-key
 certificate-file pvalentinochain
 cipher-suite all-cipher-suites
 disable-ssl-v2
 session-cache off
 enable-certificate-chaining

Make a not of the existing keypair-file and certificate-file names because you cannot use the same name when uploading the new certs and keys. Given the output above and the need to install a new cert for www.sysxperts.org:

Logon to apache web server mnsvlwwwp001 as a regular user (uploads will not work as the root user)

cd to the /data/web/certs folder or wherever you stored the keys and certs. The following uploads must be done as a regular user and in the proper order.

scp ./www.sysxperts.org.key pvalentino@192.168.5.60:sslkeypair:sysxperts-key3:sysxperts:pem
scp ./www.sysxperts.org.key pvalentino@192.168.5.80:sslkeypair:sysxperts-key3:sysxperts:pem
scp ./www.sysxperts.org.crt pvalentino@192.168.5.60:sslcert:sysxpertsorg3:pem
scp ./www.sysxperts.org.crt pvalentino@192.168.5.80:sslcert:sysxpertsorg3:pem
scp ./verisign_inter.crt pvalentino@192.168.5.60:sslcert:sysxpertsorg3:pem
scp ./verisign_inter.crt pvalentino@192.168.5.80:sslcert:sysxpertsorg3:pem

Verify that the new keys and certs have been uploaded to the Foundry devices as follows:

rconsole 1 1
sh ssl cert *
Output >
pvalentinochain 2944
sysxpertsnew 2826
sysxpertsorg3 2826 # here is the new cert chain
sh ssl key *
Output >
pvalentino-key 1209
sysxperts-key2 1197
sysxperts-key3 1209 # here is the new key
rconsole-exit


After uploading all the keys and certs to both devices and verifying, update the config on both devices as follows:

First unbind the ssl policy
server virtual webprd
 no port ssl ssl-terminate www-sysxperts-org2
ssl profile www-sysxperts-org2
 no certificate-file sysxpertsnew
 no keypair-file sysxperts-key2
 

Perform a save with:

end
wr mem
Update ssl profile:
conf t
ssl profile www-sysxperts-org2
 keypair-file sysxperts-key3
 certificate-file sysxpertsorg3
 cipher-suite all-cipher-suites
 disable-ssl-v2
 session-cache off
enable-certificate-chaining
Bind virtual server to the updated profile:
server virtual webprd
 port ssl ssl-terminate www-sysxperts-org2

Perform a save with:

end
wr mem

Test configuration and burn-in for at least 7 days before cleaning up old certs and keys.

Cleaning up:

en
rconsole 1 1
sh ssl key *
clear ssl key oldkey #removes named key
sh ssl cert *
clear ssl cert oldcert #removes named cert chain
rconsole-exit

Ctrl-H is the backspace key on the Foundry - you can update putty keyboard properties to use Ctrl-H if you find this as annoying as i do :)

 


1 comment:

Click SSL said...
This comment has been removed by the author.