Last Modified: May 29, 2024
Affected Product(s):
BIG-IP LTM, SSLO, TMOS
Fixed In:
17.0.0, 16.1.3
Opened: Sep 15, 2020 Severity: 3-Major
A Certificate Signing Request (CSR) is generated on the BIG-IP device to be used to create a certificate. It is possible for the entity owning the just-created certificate to serve as a Certificate Authority (CA) and be able to issue certificates and private keys to other parties. However, that ability does not exist unless the certificate has the CA field set to True (by default it is set to False).
Without this change, certificates and private keys generated on the BIG-IP device cannot be directly provided to certification authorities so they can be used to sign certificates they would issue to other parties.
In the TMSH prompt on the Command Line Interface (CLI), an attempt is made to generate a Certificate Signing Request (CSR) to be used to eventually create a certificate and corresponding private key.
This is a new facility, not provided before, and overcomes a limitation. Without this facility, existing users of the BIG-IP are not impacted at all. As such, there is no workaround applicable.
This fix enables certificates and private keys generated on the BIG-IP device via CSR's to be directly provided to certification authorities for their use. Because the CA field is set to now True, this fix adds convenience for certification authorities.