Last Modified: Feb 19, 2026
Affected Product(s):
BIG-IP LTM, SSLO, TMOS
Fixed In:
17.5.1.4
Opened: Oct 21, 2025 Severity: 3-Major
Currently, the notBefore and notAfter fields of the temporarily-issued certificate equal those of the server certificate. It is possible that the notBefore field precedes the current time while the notAfter field may be later than the expiry date of the CA's signing certificate. Common Criteria does not allow these. It requires that, for a temporarily-issued (i.e. forged) certificate: 1. The notBefore date is equal to or greater than the current time, and 2. The notAfter date is less than or equal to the expiry date of the CA's signing certificate, i.e. the forged certificate expires prior to the signing certificate.
The temporarily-issued (i.e. forged) certificate has validity dates that do not comply with Common Criteria requirements.
1. The device is in CC/FIPS mode 2. The backend server certificate has a notBefore date that is before the current time 3. The backend server certificate expires after its CA signing certificate (i.e. after its issuer expires)
There is no mitigation and this defect needs to be fixed.
The temporarily-issued (i.e. forged) certificates will have validity dates that conform to Common Criteria requirements.