Last Modified: May 29, 2024
Affected Product(s):
BIG-IP LTM, SSLO
Known Affected Versions:
15.1.2.1, 15.1.2, 14.1.4
Fixed In:
15.1.3, 14.1.4.3
Opened: Mar 11, 2021 Severity: 2-Critical Related Article:
K11162395
-- A client system or browser does not trust forged certificates, and reports a cert verification warning: ERR_CERT_AUTHORITY_INVALID. -- The forged certificate received by the client has the same values set for AKI and SKI certificate extensions.
Client does not trust forged certificates and can not connect to the backend.
Client SSL profile in SSL forward proxy is configured with the same certificate for Cert Key Chain and CA Cert Key Chain, and that certificate has an SKI extension.
Modify the Cert Key Chain on the Client SSL profile to have a different certificate from CA Cert Key Chain. You can find details in K11162395: A client browser may not trust the certificate issued by the BIG-IP SSL forward proxy :: https://support.f5.com/csp/article/K11162395
Certificate forged by SSL forward proxy does not contain AKI and SKI extensions, so this issue no longer occurs.