Updating an Expiring Load Balancer Certificate

Update an expiring SSL certificate for a load balancer.

To ensure consistent service, you must update (rotate) expiring certificates. This process consists of the performing the tasks:

  • Uploading the new SSL certificate bundle to the load balancer.

  • Editing the applicable listeners and backend sets so they use the new certificate bundle.

  • Optionally remove the expiring SSL certificate bundle.

Using the Console

  1. Update your client or backend server to work with a new certificate bundle.
    Note

    The steps to update your client or backend server are unique to your system.

  2. Upload the new SSL certificate bundle to the load balancer:
    1. Open the navigation menu, click Networking, and then click Load balancers. Click Load balancer. The Load balancers page appears. The Load balancers page appears.

    2. Click the name of the Compartment that contains the load balancer you want to change, and then click the load balancer's name.

    3. Click the load balancer you want to configure. The load balancer's Details page appears.

    4. Click Certificates under Resources. The Certificates list appears. All certificates are listed in tabular form.

    5. Complete the following:

      • Certificate name: Enter a friendly name for the certificate bundle. It must be unique within the load balancer, and it can't be changed in the Console. (It can be changed using the API.)

      • Choose SSL certificate file: Drag the certificate file, in PEM format, into the SSL certificate field.

        You can also choose the Paste SSL certificate option to paste a certificate directly into this field.

        Important

        If you submit a self-signed certificate for backend SSL, you must submit the same certificate in the corresponding CA Certificate field.

      • Specify CA certificate: (Recommended for backend SSL termination configurations.) Select to provide a CA certificate.

        • Choose CA certificate file: Drag the CA certificate file, in PEM format, into the CA certificate field.

          You can also choose the Paste CA certificate option to paste a certificate directly into this field.

      • Specify private key: (Required for SSL termination.) Select to provide a private key for the certificate.

        • Choose private key file: Drag the private key, in PEM format, into the Private key field.

          You can also choose the Paste private key option to paste a private key directly into this field.

        • Enter private key passphrase: (Optional) Specify the private key passphrase.

    6. Click Add certificate. Next, edit each applicable listeners or backend sets (as needed) so they use the new certificate bundle:

  3. Edit the listener:
    1. Open the navigation menu, click Networking, and then click Load balancers. Click Load balancer. The Load balancers page appears.
    2. Choose the Compartment that contains the load balancer you want to change, and then click the load balancer's name.

    3. Click Listeners under Resources. The Listeners list appears. All listeners are listed in tabular form.

    4. Click the Actions menu (Actions Menu) next to the listener you wan to edit, then click Edit Listener.

    5. In the Certificate name list, choose the new certificate bundle.

    6. Click Submit.

  4. Edit a backend set:
    1. Open the navigation menu, click Networking, and then click Load balancers. Click Load balancer. The Load balancers page appears.
    2. Choose the Compartment that contains the load balancer you want to change, and then click the load balancer's name.

    3. Click Listeners under Resources. The Listeners list appears. All listeners are listed in tabular form.

    4. Click the Actions menu (Actions Menu) next to the listener you wan to edit, then click Edit Listener.

    5. In the Certificate name list, choose the new certificate bundle.

    6. Click Submit.

  5. Edit a backend set:
    Important

    Updating the backend set temporarily interrupts traffic and can drop active connections.

    1. Open the navigation menu, click Networking, and then click Load balancers. Click Load balancer. The Load balancers page appears.

    2. Select the Compartment from the list. All load balancers in that compartment are listed in tabular form.

    3. Select a State from the list to limit the load balancers displayed to that state.

    4. Select the load balancer whose backend set you want to edit. The load balancer's Details page appears.

    5. Click Backend sets under Resources. The Backend sets list appears. All backend sets are listed in tabular form.

    6. Click the name of the backend set you want to edit. The backend set's Details page appears.

    7. Click Edit backend set. The Edit backend set dialog box appears.

    8. Select Use SSL.

    9. In the Certificate name list, choose the new certificate bundle.

    10. Click Save changes.

  6. (Optional) Remove the expiring SSL certificate bundle.
    Note

    You can't delete an SSL certificate bundle that's associated with a listener or backend set. Remove the bundle from any other listeners or backend sets before deleting.

    1. Open the navigation menu, click Networking, and then click Load balancers. Click Load balancer. The Load balancers page appears.

    2. Click the name of the Compartment that contains the load balancer you want to change, and then click the load balancer's name.

    3. Click the load balancer you want to configure.

    4. In the Resources menu, click Certificates.

    5. For the certificate you want to delete, click the Actions menu (Actions Menu), and then click Delete.

    6. Confirm when prompted.