Bug ID 945357: BIG-IP must be able to set CA=True when creating Certificate Signing Requests from TMSH.

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP LTM, SSLO, TMOS(all modules)

Fixed In:
17.0.0, 16.1.3

Opened: Sep 15, 2020

Severity: 3-Major

Symptoms

A Certificate Signing Request (CSR) is generated on the BIG-IP device to be used to create a certificate. It is possible for the entity owning the just-created certificate to serve as a Certificate Authority (CA) and be able to issue certificates and private keys to other parties. However, that ability does not exist unless the certificate has the CA field set to True (by default it is set to False).

Impact

Without this change, certificates and private keys generated on the BIG-IP device cannot be directly provided to certification authorities so they can be used to sign certificates they would issue to other parties.

Conditions

In the TMSH prompt on the Command Line Interface (CLI), an attempt is made to generate a Certificate Signing Request (CSR) to be used to eventually create a certificate and corresponding private key.

Workaround

This is a new facility, not provided before, and overcomes a limitation. Without this facility, existing users of the BIG-IP are not impacted at all. As such, there is no workaround applicable.

Fix Information

This fix enables certificates and private keys generated on the BIG-IP device via CSR's to be directly provided to certification authorities for their use. Because the CA field is set to now True, this fix adds convenience for certification authorities.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips