This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

router restart required after adding cert to truststore for 2 way ssl

Posted on 03-15-2017 06:31 PM
Not applicable
Reply posted on --/--/---- --:-- AM

Hello,

We are settings up a 2 way ssl virtual host. and have it working. HOWEVER, it seems that after importing new client certs to the truststore I am getting a 'the bad ssl certificate' error response when hitting a test proxy... I have found that restarting the routers seems to fix this, but that seems unrealistic. Am I missing something?

Immediately after importing the client cert to the truststore the following command DOES NOT show the new client cert in the list of 'Acceptable client certificate CA names'

openssl s_client -showcerts -connect myapigateway.com:443

After restarting the routers and then running the above command the client cert starts showing in the list of 'Acceptable client certificate names'

Solved Solved
1 5 1,275
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

Am I missing something?

Yes.

This link describes how to use something called a "keystore reference" or a "truststore reference". You want the latter. (The page gives an example of a keystore reference. Just follow the pattern and use a reference to your truststore instead.)

This means that as you add client certs, you will have multiple distinct truststores, but.... you need only change the ref to point to the latest truststore, and it just starts working. No restart of the router is required. You can remove the old truststores as they become outdated.

Helpful?

View solution in original post

Jump to Solution
0 Likes
5 REPLIES 5

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

Am I missing something?

Yes.

This link describes how to use something called a "keystore reference" or a "truststore reference". You want the latter. (The page gives an example of a keystore reference. Just follow the pattern and use a reference to your truststore instead.)

This means that as you add client certs, you will have multiple distinct truststores, but.... you need only change the ref to point to the latest truststore, and it just starts working. No restart of the router is required. You can remove the old truststores as they become outdated.

Helpful?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to DChiesa
Reply posted on --/--/---- --:-- AM

If you are not updating an alias already existing int the truststore, an alternative is refreshing the reference with the same payload as the one currently returned by the GET on the same resource (conceptually a noop), this would make sure that the routers would update the old cached truststore with the current version.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

@Dino I set up a truststore reference and configured my VirtualHost to use it. After creating a new truststore and updating the reference I still don't see a change until I restart the router.

Is there another step after creating the new truststore and updating the reference? Thanks!

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
DChiesa
Staff
In response to
Reply posted on --/--/---- --:-- AM

Hi, please use the button to ask a new question, even if it is related to a prior question. Thanks!

5763-ask-a-question.png

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
ylesyuk
New Member
Reply posted on --/--/---- --:-- AM

> No restart of the router is required.

Have a flavour of the above situation. I needed to change a certficate. Removed keystore, then recreated it.

Apparently, without restart the router's nginx keeps feeding an old certificate.

Edge 17.09.

Jump to Solution