Last Modified: Oct 19, 2025
Affected Product(s):
BIG_IP_NEXT(CM) Install/Upgrade, TMOS
Known Affected Versions:
20.2.0, 20.2.1
Opened: Mar 15, 2024 Severity: 2-Critical
BIG-IP Next Central Manager requires that virtualization providers use a valid SSL certificate. A self-signed certificate can also be explicitly accepted by BIG-IP Next Central Manager users, if the certificate otherwise passes SSL validation successfully. When F5OS generates self-signed SSL certificates for its HTTPS services, it does not include the actual hostname or IP address in the Common Name or Subject Alternative Names (SANs) fields. As a result, this self-signed certificate will not pass SSL validation for strict TLS clients, because the HTTPS server name does not match any Subject names in the certificate.
BIG-IP Next Central Manager cannot successfully add VELOS or rSeries systems as virtualization providers, and therefore cannot dynamically create new BIG-IP Next instances on VELOS or rSeries systems.
A BIG-IP Next Central Manager user attempts to add a VELOS or rSeries system as a virtualization provider, when the VELOS or rSeries system is using the default self-signed certificate generated by the system.
1. Create a self-signed SSL certificate that includes the F5OS system's actual IP address in the Subject Alternative Names (SANs) field. For example, the following steps can be used: A. Save the following data into a file named “ip-san.cnf": [req] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext x509_extensions = v3_req prompt = no [req_distinguished_name] countryName = XX stateOrProvinceName = N/A localityName = N/A organizationName = Self-signed certificate commonName = F5OS Self-signed certificate [req_ext] subjectAltName = @alt_names [v3_req] subjectAltName = @alt_names [alt_names] IP.1 = 127.0.0.1 DNS.1 = f5platform.host B. Edit the file -- change IP.1 at the end to be the rSeries or VELOS partition management IP address. Optionally, other certificate fields may also be updated if the new cert should have specific values for them (e.g., commonName, organizationName, localityName, etc.). C. Run the following command, to create the two certificate files "ip-san-cert.pem" and "ip-san-key.pem”: openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout ip-san-key.pem -out ip-san-cert.pem -config ip-san.cnf 2. In the VELOS Partition or rSerie s Hardware UI: A. Navigate to the AUTHENTICATION & ACCESS -> TLS Configuration page. B. Locate and update the "TLS Certificate" and "TLS Key" text boxes to the new Cert file & Key file, respectively. C. The F5OS system will then use this new certificate with its HTTPS services.
None