Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5
Fixed In:
14.0.0, 13.1.0.6, 12.1.3.4, 11.6.3.3
Opened: Jan 12, 2018 Severity: 3-Major Related Article:
K16465222
In the GUI, editing a client SSL profile or selecting a different parent profile changes the Certificate Key Chain to default (i.e., /Common/default.crt and /Common/default.key).
The system resets Certificate Key Chain to default, even though the Custom box is checked.
This happens in the following scenario: 1. Using the GUI, create a client SSL profile. 2. Configure the new profile to inherit from a client SSL profile other than the default, clientssl. 3. Click the Custom box for Certificate Key Chain and select a different cert and key from the default. 4. Click Update. 5. In the GUI, change any setting in the newly created profile, or select a different parent profile (but not the clientssl profile). 6. Click Update again.
To work around this issue in the GUI, click the Custom checkbox next to the 'Certificate Key Chain' option in the parent profile. This will set the value of inherit-certkeychain to false , preventing the issue from occurring. You can also use tmsh to update parent profile settings to avoid the occurrence of this issue..
GUI no longer resets custom Certificate Key Chain in child client SSL profiles.