Last Modified: Mar 18, 2026
Affected Product(s):
BIG-IP LTM, SSLO, TMOS
Known Affected Versions:
17.5.0, 17.5.1, 17.5.1.2, 17.5.1.3
Fixed In:
17.5.1.4
Opened: Oct 21, 2025 Severity: 3-Major
Currently, the notBefore and notAfter fields of the temporarily-issued certificate equal those of the server certificate. It is possible that the notBefore field precedes the current time while the notAfter field may be later than the expiry date of the CA's signing certificate. Common Criteria does not allow these. It requires that, for a temporarily-issued (i.e. forged) certificate: 1. The notBefore date is equal to or greater than the current time, and 2. The notAfter date is less than or equal to the expiry date of the CA's signing certificate, i.e. the forged certificate expires prior to the signing certificate.
The temporarily-issued certificate has validity dates that do not comply with Common Criteria requirements.
1. The device is in CC/FIPS mode 2. The backend server certificate has a notBefore date that is before the current time 3. The backend server certificate expires after its CA signing certificate (i.e. after its issuer expires)
None
The temporarily-issued certificates will have validity dates that conform to Common Criteria requirements.