Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7
Fixed In:
13.1.0.8, 12.1.2 HF1
Opened: Mar 23, 2017 Severity: 3-Major
The default CA certificate bundle file used by the system contains some older certificates, e.g., expired or soon-to-be expired.
When the built-in trusted certificates are obsolete, i.e., containing a certain number of expired certificates, the systems might fail to verify peers certificate correctly.
If the default CA certificate bundle file is configured in SSL profiles, it is used as a set of built-in trusted certificates when verifying peer's certificate during SSL handshake.
You can either directly update the default CA certificate bundle file /config/ssl/ssl.crt/ca-bundle.crt with proper certificates and then 'bigstart restart tmm' Alternatively, you can use a separate certificate, for example: tmsh install sys crypto cert better_ca_bundle from-local-file /shared/better_ca_bundle.pem tmsh modify ltm profile client-ssl cssl ca-file better_ca_bundle.crt
This release updates the default CA certificate bundle file by adding the latest certificates and removing the expired certificates.