Bug ID 1959629: CSR generation via the GUI removes Subject Alternative Name (SAN) string. Also, when SAN is configured with small prefix chars "dns:", no error is thrown.

Last Modified: Jun 28, 2025

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
17.5.0, 17.5.1

Opened: May 27, 2025

Severity: 3-Major

Symptoms

1) The GUI does not throw an error when subject alternative name is set with lower case prefix "dns:". 2) The GUI does not set SAN strings while generating CSR on GUI. (this does not occur on 17.1.2.2)

Impact

An invalid certificate is created.

Conditions

-- Use the GUI to create a CSR which is to be signed by other CA, setting "Subject Alternative Name (SAN)" strings with prefix "dns:" in lower case instead of "DNS:". In this case, the CSR is generated but an error should occur. -- Use the GUI to create a CSR with a SAN string containing the correct prefix with capitalized "DNS:". In this case, CSR generation finishes with no error. However, looking at generated CSR, the SAN field is omitted.

Workaround

Create the CSR via tmsh (tmsh create sys crypto csr) instead of the GUI

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips