Effortlessly monitor load balancer SSL certificates with the ADC Portal

The latest feature to be added to the ADC Portal is the ability to easily view your SSL certificates from a single window of control. So, if you've already mastered all of these features, why not give it a go?!  

Why do load balancers need SSL certificates?

If you use HTTPS (SSL or TLS) for your frontend, you must deploy an SSL/TLS certificate on your load balancer to ensure your data remains encrypted.

The load balancer uses the SSL certificate to terminate the connection and then decrypt requests from clients before sending them to the instances.

It is therefore important to monitor your load balancer certificates, to prevent an expired or invalid certificate causing a number of serious headaches.

What are the consequences of an expired or broken SSL certificate?

The nightmare scenario when you hit an expired or broken SSL certificate is a total lack of service. Which is why you should NEVER, EVER let a certificate expire.

Expired SSL certificates result in downtime. Fact. And with downtime, comes a loss of service which not only results in angry customers, but also consequential financial losses. Sweaty palm stuff to say the least.

Best case scenario? If you're really lucky, you might be able to get away with an expired or invalid SSL certificate merely leading to:

• Access issues for users trying to visit your website
• A loss of customer trust as browser warnings are triggered
• A regulatory breach by failing to utilize the required certificates

Still not great though, is it? This might explain why SSL certificate expiry is one of the biggest headaches in the industry.

How do you add an SSL certificate to your load balancer?

How you add an SSL certificate to your load balancer will be specific to your appliance, but here's how it works for our Enterprise ADCs.

You have three options:

• Upload an SSL certificate
• Generate a Certificate Signing Request (CSR)
• Generate a self-signed certificate

Uploading an SSL certificate

If you already have an SSL certificate in either PFX or PEM file format, this can be uploaded to the load balancer using the certificate upload option as explained below:

1. Using the WebUI, navigate to: Cluster Configuration > SSL Certificates.
2. Click Add a new SSL Certificate & select Upload prepared PEM/PFX file.
3. Enter a suitable Label (name) for the certificate.
4. Browse to and select the certificate file to upload (PEM or PFX format).
5. Enter the password, if applicable (PFX is a protected format).
6. Click Upload Certificate, if successful, a message similar to the following will be displayed:

cert1 SSL Certificate uploaded successfully

Generating a CSR on the load balancer

Alternatively, you can create a Certificate Signing Request (CSR) and send this to your Certificate Authority (CA) to create a new certificate, or you can create a locally signed custom certificate by following these steps:

1. Using the WebUI, navigate to: Cluster Configuration > SSL Certificates.
2. Click Add a new SSL Certificate & select Create a New SSL Certificate (CSR).
3. Enter a suitable Label (name) for the certificate.
4. Populate the remaining fields according to your requirements.
5. Once all fields are complete click Create.
6. To view the CSR click Modify next to the new certificate, then expand the Certificate Signing Request (CSR) section.
7. Copy the CSR and send this to your chosen CA.
8. Once received, copy/paste your signed certificate into the Your Certificate section.
9. Intermediate and root certificates can be copied/pasted into the Intermediate Certificate and Root Certificate sections as required.
10. Click Update to complete the process.

Generating a self-signed custom SSL certificate on the load balancer

1. Using the WebUI, navigate to: Cluster Configuration > SSL Certificates.
2. Click Add a new SSL Certificate & select Create a new Self-Signed SSL Certificate.
3. Enter a suitable Label (name) for the certificate.
4. Populate the remaining fields according to your requirements.
5. Once all fields are complete click Create.

Bear in mind though, that self-signed certificates due to a missing chain (Root - Intermediate) can also produces warnings.

For more information, refer to our Admin Manual.

What are the challenges of monitoring the SSL certificate lifecycle with a large ADC estate?

A certificate installed on the load balancer eliminates the requirement for certificates on the Real Servers, so it's not unusual for a single load balancer to have multiple SSL certificates associated with it.

Consequently, certificates on the Real Server can be expired or self-signed, as the load balancer is responsible for presenting the valid certificate to clients.

If you have a large load balancer estate, that can add up to hundreds of separate SSL certificates to keep track of.

Thankfully, with the right solution, SSL certificate expiry is an easy problem to take away.

Proactive monitoring can help you identify expiring certificates ahead of time, allowing you to renew or replace them before they cause disruptions.

How do you monitor SSL certificates in the ADC Portal?

In the Security section of the ADC Portal, simply do the following:

1. 'Click Certificates'
2. Click on the individual load balancer you're interested in
3. See any 'Expired' certificates highlighted in pink, with the expiry date and certificate name visible next to this

And that's it! Easily track you certificates and expiry dates so you can take any necessary remedial action, in less time than it takes to make a piece of toast!

Your life just got a whole lot easier

If you want to make the tedious but important task of monitoring the lifecycle of your SSL certificates effortless, register for our centralized management platform, the ADC Portal, and save yourself a bucket-load of time and energy!  

New features are being added to the Portal all the time, so don't forget to keep checking back for the latest news.

Alternatively, if you'd like to find out more about other, specific certificate lifestyle management features coming further down the line, feel free to reach out to us directly to discuss the Portal roadmap.