REPLACE AN SSL CERTIFICATE FOR A REVERSE SSL PROXY WITHOUT DOWNTIME
Your proxy is set up as a Reverse SSL proxy and your certificate is about to expire. Since certificates can't be extended, you have a new certificate but you can't afford any downtime while switching certificates.
Normally you would have to remove the keyring from the Reverse SSL Proxy service, then delete the certificate and import the new one. However this causes downtime and you want to avoid this.
The way to get around that is to create a new keyring, import the private key of the old keyring, import the new certificate and finally switch the keyring that is used in the Reverse SSL Proxy service.
Step-by-step:
1) Make sure that the keyring you are currently using has the private key "Shown" (Configuration -> SSL -> Keyrings). If this is showing as "Hidden" you can not use these instructions.
2) Export the private key for that keyring. In order to get the private key, you have to connect to the proxy command-line and type the following:
- enable
- conf t
- ssl
- view keypair unencrypted
This will output the private key. Copy that into the clipboard including the lines containing BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY.
3) Back in the GUI, create a new keyring, give it a name, choose "Show key pair", select "Import existing private key" and click "Paste from clipboard". If the private key has a password, you can enter that as well, otherwise untick the password tickbox.
4) Click OK and Apply to finish creation of the keyring.
5) Select the new keyring and click Edit.
6) Import the new certificate into the new keyring:
Click OK. If you also wish to import an old CSR, you can do that as well. Finally click "Close" and "Apply".
7) In your Reverse SSL Proxy service settings, now choose the new keyring.
Click "Apply" and the new keyring (and hence the new certificate) will be active immediately.