Bug ID 1933965

Bug Tracker
ID 1933965

Bug ID 1933965: Unable to associate multiple cert/keys of different types to Certificate Key Chain via TMSH

Last Modified: Jun 19, 2025

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2, 17.1.2.1, 17.1.2.2

Opened: May 02, 2025

Severity: 4-Minor

Symptoms

Below error is thrown when assigning RSA cert/key followed by ECDSA cert/key with below command tmsh create ltm profile client-ssl /path/_ssl_server cert-key-chain replace-all-with { _cert_rsa_0 { cert /path/_cert_rsa.crt key /path/_cert_rsa.key chain none usage SERVER } _cert_ecdsa_0 { cert /path/_cert_ecdsa.crt key /path/_cert_ecdsa.key chain none usage SERVER } } Error: 010717e1:3: Client SSL profile (/path/_ssl_server): cannot contain more than one set of same certificate/key type.

Impact

Unable to create the client SSL profile

Conditions

Assigning RSA cert/key followed by ECDSA cert/key

Workaround

Workaround 1: change the certificate chain order so the ECDSA cert/key occurs before the RSA cert/key. tmsh create ltm profile client-ssl /path/_ssl_server cert-key-chain replace-all-with \{ _cert_ecdsa_0 \{ cert /path/_cert_ecdsa.crt key /path/_cert_ecdsa.key chain none usage SERVER \} _cert_rsa_0 \{ cert /path/_cert_rsa.crt key /path/_cert_rsa.key chain none usage SERVER \} \} tmsh list ltm profile client-ssl /path/_ssl_server ltm profile client-ssl /path/_ssl_server { app-service none cert-key-chain { _cert_ecdsa_0 { cert /path/_cert_ecdsa.crt key /path/_cert_ecdsa.key } _cert_rsa_0 { cert /path/_cert_rsa.crt key /path/_cert_rsa.key } } inherit-ca-certkeychain true inherit-certkeychain false } Workaround #2: Create a Client SSL and associate only 1 RSA cert/key. Thereafter, associate the next set of ECDSA cert/key to the same Client SSL profile. 1) Create SSL profile and associate only the RSA cert/key to Certificate Key Chain. # tmsh create ltm profile client-ssl /path/_ssl_server cert-key-chain replace-all-with \{ _cert_rsa_0 \{ cert /path/_cert_rsa.crt key /path/_cert_rsa.key chain none usage SERVER \} \} 2) Associate existing ECDSA cert/key to Certificate Key Chain of the above SSL Profile #tmsh modify ltm profile client-ssl /path/_ssl_server cert-key-chain add {_cert_ecdsa_0 { cert /path/_cert_ecdsa.crt key /path/_cert_ecdsa.key chain none usage SERVER }} tmsh list ltm profile client-ssl /path/_ssl_server ltm profile client-ssl /path/_ssl_server { app-service none cert-key-chain { _cert_ecdsa_0 { cert /path/_cert_ecdsa.crt key /path/_cert_ecdsa.key } _cert_rsa_0 { cert /path/_cert_rsa.crt key /path/_cert_rsa.key } } inherit-ca-certkeychain true inherit-certkeychain false }

Fix Information

None

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips