Bug ID 754567: Child clientSSL profile's inherit-certkeychain can be unexpectedly set to false after updating the certificate file

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1

Fixed In:
13.1.1.5

Opened: Jan 03, 2019

Severity: 3-Major

Symptoms

Child client SSL profile's inherit-certkeychain can be unexpectedly set to false after updating the certificate file used by the profile.

Impact

The child client SSL profile may unexpectedly end up using a different cert-key-chain from its parent profile.

Conditions

The issue is seen intermittently when all of the following conditions are met. -- The client SSL profile is a child client SSL profile profile, i.e., it has a parent client SSL profile. -- The child and the parent profile are using the same certificate. -- The certificate file is updated, for example, by using a command similar to the following: tmsh modify sys file ssl-cert child.crt { source-path file:///config/ssl/ssl.crt/default.crt app-service none cert-validation-options { } issuer-cert none }

Workaround

The inherit-certkeychain flag can be set only in the GUI location: Local Traffic :: Profiles : SSL : Client :: child_profile. In the row 'Configuration: \ Certificate Key Chain', uncheck the checkbox on the right side. That sets inherit-certkeychain to true (or does not customize the cert-key-chain for the child profile). Once the box is unchecked, the Certificate Key Chain field appears greyed out and filled with parent profile's cert-key-chain.

Fix Information

The child profile's inherit-certkeychain flag is no longer unexpectedly set to false after updating the certificate file.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips