What are the ramifications of renewing a wildcard SSL certificate on a UTM 9

It looks like the only place you need to worry about, Kipland, is the certificate selection in your "Web Store" Virtual Webserver.  From whom did you purchase your wild card cert?

Cheers - Bob

Hey Bob -- you can call me Kip. Feel like we are old friends here now.

The wildcard cert was purchased and recently renewed at GoDaddy for 2 more years (no more 3 year certs from them). I don't think the webstore virtual webserver is even really used (before my time on that config) since we use HAProxy for all load balancing and reverse proxy. My concern is that I don't accidentally lock myself out of web admin or require any changes to local SSL Remote Access or any IPsec tunnels. I also need to keep the UserPortal going (although I have it locked down only to specific remote networks). I'm also way behind on the firmware updates on that one because it's the primary firewall for one of our colocated environments and has not been down for awhile. It's a SG310 running 9.413-4 and has been up now for 405 days.

I do see the webstore virtual server is on, though, and agree that I must update the cert there so my question really is the correct process. I assume I must delete the existing cert as there is no other option. All my certs are in full PEM format (cert, chain certs, private key) and I see I must upload new certs in PKCS12 format (PEM say's cert only). Should the PKCS12 file contain everything in the PEM file or just the cert and key? I see all of the CA certs under the Certificate Authority Tab but not sure if they were each extracted from the PEM, converted to PKCS12, and uploaded separately. I'm just used to creating a single PEM file with everything in it and uploading to each of my HAProxy servers for SSL offloading.

1. I assume doing this will NOT affect any SSL Remote access certificates as those are unique to each remote access user and think they use the Sophos self-signed CA.
2. I assume doing this will NOT affect any IPsec configurations as these don't use SSL/TLS.
3. I'm hoping this will not affect the User Portal since I see no HTTPS configuration relevant to that specifically.
4. I assume this WILL affect WebAdmin as it currently uses the wildcard certificate and CA certificates.
5. I assume this WILL affect Webserver Protection and the Webstore virtual server but the SSL configuration is centralized there anyway.

Hey back, Kip!

1. & 2. - Correct

3. User Portal and WebAdmin use the same cert.  If you have the expiring cert selected on the 'HTTPS Certificate' tab, selecting the new cert there solves the problem for both.

4. Yes, I see that now.

5. Again, just select the new cert in "Webstore."

A PKCS#12 includes the cert and the CA, in the UTM, a PEM can include only one.  You might be able to upload only the cert PEM if the new cert uses the same CA as the expiring one.  I'm not familiar with HAProxy, but it sounds like it handles uploading certs in a different way.  Concatenating cert, intermediate CA, CA and private key is done before using OpenSSL to create a PKCS#12 file that the UTM can upload.

Cheers - Bob

Hey back, Kip!

1. & 2. - Correct

3. User Portal and WebAdmin use the same cert.  If you have the expiring cert selected on the 'HTTPS Certificate' tab, selecting the new cert there solves the problem for both.

4. Yes, I see that now.

5. Again, just select the new cert in "Webstore."

A PKCS#12 includes the cert and the CA, in the UTM, a PEM can include only one.  You might be able to upload only the cert PEM if the new cert uses the same CA as the expiring one.  I'm not familiar with HAProxy, but it sounds like it handles uploading certs in a different way.  Concatenating cert, intermediate CA, CA and private key is done before using OpenSSL to create a PKCS#12 file that the UTM can upload.

Cheers - Bob