How to replace a root/intermediate certificate in a chain on Avi
search cancel

How to replace a root/intermediate certificate in a chain on Avi

book

Article ID: 410741

calendar_today

Updated On:

Products

VMware Avi Load Balancer

Issue/Introduction

There may be scenarios where a Root CA/Intermediate certificate may need to be replaced in a chain for application certificates which may be configured on multiple Virtual Services. 

 

Example Scenarios:

1. Sectigo allows cross-signing a root certifiacte with a well-known CA, which may be needed for old browsers/devices - https://support.sectigo.com/articles/Knowledge/Sectigo-Chain-Hierarchy-and-Intermediate-Roots

2. Replace an expiring intermediate certificate with another uploaded intermediate certificate with an earlier expiring date (Since the default behavior is to pick the later expiring certificate).

3. It may not be feasible to unlink the application certificates on all the VSs in order to delete the application certificate and then the other certs in the chain

Environment

Applicable for all cloud environments and versions.

Cause

As per the current behavior, Avi does not allow deletion of a Root/Intermediatecertificate that has already been linked to an Intermediate/Application certificate in the chain respectively. 

When a root certificate is attempted to delete from the UI, the following must check is displayed preventing the deletion
 - "Cannot delete, object is referred by: ['SSLKeyAndCertificate xxx']"


Resolution

Contact Broadcom Support for further assistance.

https://knowledge.broadcom.com/external/article/405686/how-to-create-a-wolken-case-for-avi-prod.html

Additional Information

Further reading on related issues:

https://knowledge.broadcom.com/external/article/404667/certificate-chain-for-imported-bundle-no.html

Powered by Wolken Software