Foundry ServerIron SSL Certificate Management
After generating CSR on Apache server and obtaining certificate from Verisign use the following procedure to upload certificates and keys to the Foundry and update the configuration.
Make a note of the existing certificates and keys on the Foundry as follows:
logon to each load balancer with putty and perform a sh config
- 192.168.5.60 and 192.168.5.80 are prod devices
- 192.168.7.60 and 192.168.7.80 are test devices
- en
- sh config
You just need to look at the ssl profile section (see items in bold)
ssl profile www-sysxperts-org2 keypair-file sysxperts-key2 certificate-file sysxpertsnew cipher-suite all-cipher-suites disable-ssl-v2 session-cache off enable-certificate-chaining ssl profile pvalentino keypair-file pvalentino-key certificate-file pvalentinochain cipher-suite all-cipher-suites disable-ssl-v2 session-cache off enable-certificate-chaining
Make a not of the existing keypair-file and certificate-file names because you cannot use the same name when uploading the new certs and keys. Given the output above and the need to install a new cert for www.sysxperts.org:
Logon to apache web server mnsvlwwwp001 as a regular user (uploads will not work as the root user)
cd to the /data/web/certs folder or wherever you stored the keys and certs. The following uploads must be done as a regular user and in the proper order.
- scp ./www.sysxperts.org.key pvalentino@192.168.5.60:sslkeypair:sysxperts-key3:sysxperts:pem
- scp ./www.sysxperts.org.key pvalentino@192.168.5.80:sslkeypair:sysxperts-key3:sysxperts:pem
- scp ./www.sysxperts.org.crt pvalentino@192.168.5.60:sslcert:sysxpertsorg3:pem
- scp ./www.sysxperts.org.crt pvalentino@192.168.5.80:sslcert:sysxpertsorg3:pem
- scp ./verisign_inter.crt pvalentino@192.168.5.60:sslcert:sysxpertsorg3:pem
- scp ./verisign_inter.crt pvalentino@192.168.5.80:sslcert:sysxpertsorg3:pem
Verify that the new keys and certs have been uploaded to the Foundry devices as follows:
- rconsole 1 1
- sh ssl cert *
- Output >
- pvalentinochain 2944
- sysxpertsnew 2826
- sysxpertsorg3 2826 # here is the new cert chain
- sysxpertsnew 2826
- sh ssl key *
- Output >
- pvalentino-key 1209
- sysxperts-key2 1197
- sysxperts-key3 1209 # here is the new key
- sysxperts-key2 1197
- rconsole-exit
- sh ssl cert *
After uploading all the keys and certs to both devices and verifying, update the config on both devices as follows:
- First unbind the ssl policy
server virtual webprd no port ssl ssl-terminate www-sysxperts-org2 ssl profile www-sysxperts-org2 no certificate-file sysxpertsnew no keypair-file sysxperts-key2
Perform a save with:
- end
- wr mem
- Update ssl profile:
- conf t
ssl profile www-sysxperts-org2 keypair-file sysxperts-key3 certificate-file sysxpertsorg3 cipher-suite all-cipher-suites disable-ssl-v2 session-cache off
enable-certificate-chaining
- Bind virtual server to the updated profile:
server virtual webprd port ssl ssl-terminate www-sysxperts-org2
Perform a save with:
- end
- wr mem
Test configuration and burn-in for at least 7 days before cleaning up old certs and keys.
Cleaning up:
- en
- rconsole 1 1
- sh ssl key *
- clear ssl key oldkey #removes named key
- sh ssl cert *
- clear ssl cert oldcert #removes named cert chain
- rconsole-exit
- rconsole 1 1
Ctrl-H is the backspace key on the Foundry - you can update putty keyboard properties to use Ctrl-H if you find this as annoying as i do :)
Posts
1 comment:
Post a Comment